Critical vulnerabilities on QNAP NAS devices; update now

QNAP security teams have released a set of updates to fix multiple critical vulnerabilities present on their network-attached storage (NAS) devices with QES, QTS, and QuTS hero operating systems. In total, six product vulnerabilities for FreeBDS, Linux, and ZFS were fixed.

Reported failures would allow cross site scripting (XSS) attacks, arbitrary command injection, and password compromise on vulnerable versions of these products.

Threat actors abusing command injection errors could also elevate their privileges, execute arbitrary commands on the compromised device or application, and even take control of the underlying operating system. Reported failures include:

  • CVE-2020-2503: XSS flaw that would allow remote attackers to inject malicious code into File Station
  • CVE-2020-2504: Absolute path traversal vulnerability in QES that allows attackers to traverse files in File Station
  • CVE-2020-2505: This flaw allows remote hackers to access sensitive information in QES by generating error messages
  • CVE-2016-6903: Command injection vulnerability in QWES that allows remote attackers to execute arbitrary commands in Ishell
  • CVE-2020-2499: QES-encoded password flaw that allows malicious hackers to log in with a password encoded
  • CVE-2020-25847: Command injection vulnerability in QTS and QuTS hero that would allow attackers to execute arbitrary commands on compromised applications

The flaws were fixed in QES version 2.1.1 Build 20201006 and later, QTS Build 20201123 and later, and QuTS hero h4.5.1.1491 Build 20201119 and later. In its report, QNAP mentions: “It is strongly recommended to upgrade to the latest available version of your system to mitigate the risk of exploitation.”

Cybersecurity experts mention that NAS devices are often the subject of multiple attacks in which it is about stealing confidential documents or implementing malware payloads because they are usually used for backup or as file-sharing systems. The company alerted its customers about the detected flaws, recommending that appropriate security measures be implemented to prevent malware infections and other attacks.