QNAP’s Security Team Caught Napping
4 Out Of 15 Is A Nasty Number Of Fixes
The QNAP QTS OS for their NAS devices is in the news, and not in a good way. Security researchers discovered 15 flaws between December 12, 2023, and January 23, 2024 and as of today they have only addressed four of them. This delay has led to the vulnerabilities being publicly disclosed so that owners of QNAP devices are aware of the vulnerabilities their devices have. On the plus side the disclosure has led to five more patches being released today, including one for the zero day remote code execution vulnerability.
Many of the flaws are do to improper usage of the strcpy command, which can be leveraged to cause a buffer overflow and lead to code execution. There are also ones that allow an attacker to defeat MFA and a handful of other attack vectors. QNAP have overcome what they are calling coordination issues to release patches and you should definitely grab them from the link at Bleeping Computer. It might be worth checking back to see if there are updates addressing the remaining six flaws.
The flaws uncovered by WatchTowr analysts are primarily related to code execution, buffer overflows, memory corruption, authentication bypass, and XSS issues, impacting the security of Network Attached Storage (NAS) devices across different deployment environments.
More Tech News From Around The Web
- Oh Sonos! App update borks users’ favorite features and worse @ The Register
- The AMD EPYC 4004 is Finally Here and Intel Xeon E Needs an Overhaul @ ServeTheHome
- Critical Fluent Bit flaw impacts all major cloud providers @ Bleeping Computer
- GitHub warns of SAML auth bypass flaw in Enterprise Server @ Bleeping Computer
- Apple says if you want to ship your own iOS browser engine in EU, you need to be there @ The Register
- HP Resurrects ’90s OmniBook Branding, Kills Spectre and Dragonfly @ Slashdot
- EcoFlow Wave 2 @ FunkyHome
