QNAP patches another load of major NAS device security flaws

qnap
(Image credit: QNAP)

QNAP has released a series of new patches which address both high and medium severity vulnerabilities in its NAS devices that are used by both businesses and individuals to backup their data locally.

If left unpatched, these eight vulnerabilities, that affect all of the company's devices running vulnerable software, could be exploited by an attacker to take full control over a user's NAS device.

QNAP's QTS operating system and QuTS hero contain four high severity cross-site scripting (XSS) vulnerabilities tracked as CVE-2020-2495, CVE-2020-2496, CVE-2020-2497 and CVE-2020-2498. If exploited, these cross-site scripting vulnerabilities could allow remote attackers to inject malicious code in the company's File Station, System Connection Logs and in certificate configuration.

Thankfully though, all four high severity vulnerabilities as well as a medium severity command injection vulnerability have already been fixed in QuTS hero h4.5.1.1472 build 20201031 and later and in QTS versions 4.5.1.1456 and later. 

NAS software vulnerabilities

In addition to the five vulnerabilities in QTS and QuTS, QNAP also patched cross-site scripting vulnerabilities found in its Music Station, Multimedia Console and Photo Station NAS software. While the XSS vulnerability in Music Station is medium severity, the ones found in the company's Multimedia Console and Photo Station are both high severity.

To prevent future attacks, QNAP is urging all of its users to update their systems to the latest version. In order to deploy the QTS and QuTS hero security updates on your NAS device, users should log on to QTS or QuTS hero as administrator, go to Control Panel > System > Firmware Update and under Live Update, click on Check for Updates to download and install the latest update available.

To address the XSS bugs in Music Station, Multimedia Console and Photo Station, users should log on to QTS as administrator, open the App Center, search for the software they want to update and finally click on Update for each application.

As NAS devices are often used to store sensitive files and documents, keeping them updated and running the latest software version is of the utmost importance for users that don't want their data to end up in the hands of hackers.

Via BleepingComputer

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.