QNAP warns of attacks on NAS operating system
Two command injection vulnerabilities have been discovered in QTS
QNAP has released a new security advisory warning users of two vulnerabilities that affect its QTS operating system which powers many of the NAS devices used by businesses and consumers to backup their data locally.
The vulnerabilities, tracked as CVE-2020-2490 and CVE-2020-2492, can be exploited to allow a remote attacker to execute arbitrary commands on NAS devices running versions of QTS released before September 8 of this year.
In its security advisory, QNAP doesn't provide that many details on how exactly these vulnerabilities can be exploited though they are both classified as command injection vulnerabilities. These types of vulnerabilities are particularly dangerous as they could allow for full take over of an affected device.
- We've assembled a list of the best antivirus software around
- These are the best NAS devices on the market
- Upgrade your NAS with one of the best NAS drives available
Thankfully though, QNAP has issued patches to address both vulnerabilities in QTS 4.4.3.1421 build 20200907 and later versions.
Updating QTS
In order to secure your NAS devices from any potential attacks leveraging these vulnerabilities, QNAP recommends that users update QTS to the latest version.
To do so, you'll first need to log on to QTS as an administrator and then navigate to Control Panel > System > Firmware Update. Under the Live Update section, click on Check for Update and then QTS will download and install the latest update available.
Alternatively, you can also go to QNAP's website and under Support, you can perform a manual update for your devices by heading to the download center.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
NAS devices are increasingly being targeted by cybercriminals and just last week, QNAP warned that Zerologon now affects NAS devices and a month ago, the company urged users to update their devices to avoid being infected with the AgeLocker ransomware.
- We've also highlighted the best endpoint protection software
Via BleepingComputer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.