QNAP security teams have released a set of updates to fix multiple critical vulnerabilities present on their network-attached storage (NAS) devices with QES, QTS, and QuTS hero operating systems. In total, six product vulnerabilities for FreeBDS, Linux, and ZFS were fixed.
Reported failures would allow cross site scripting (XSS) attacks, arbitrary command injection, and password compromise on vulnerable versions of these products.
Threat actors abusing command injection errors could also elevate their privileges, execute arbitrary commands on the compromised device or application, and even take control of the underlying operating system. Reported failures include:
- CVE-2020-2503: XSS flaw that would allow remote attackers to inject malicious code into File Station
- CVE-2020-2504: Absolute path traversal vulnerability in QES that allows attackers to traverse files in File Station
- CVE-2020-2505: This flaw allows remote hackers to access sensitive information in QES by generating error messages
- CVE-2016-6903: Command injection vulnerability in QWES that allows remote attackers to execute arbitrary commands in Ishell
- CVE-2020-2499: QES-encoded password flaw that allows malicious hackers to log in with a password encoded
- CVE-2020-25847: Command injection vulnerability in QTS and QuTS hero that would allow attackers to execute arbitrary commands on compromised applications
The flaws were fixed in QES version 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 Build 20201123 and later, and QuTS hero h4.5.1.1491 Build 20201119 and later. In its report, QNAP mentions: “It is strongly recommended to upgrade to the latest available version of your system to mitigate the risk of exploitation.”
Cybersecurity experts mention that NAS devices are often the subject of multiple attacks in which it is about stealing confidential documents or implementing malware payloads because they are usually used for backup or as file-sharing systems. The company alerted its customers about the detected flaws, recommending that appropriate security measures be implemented to prevent malware infections and other attacks.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
