Q
Problem solve Get help with specific problems with your technologies, process and projects.

What QNAP vulnerabilities affected storage devices?

QNAP vulnerabilities in NAS enabled attackers to control devices. Expert Judith Myerson explains each of the QNAP NAS vulnerabilities and their fixes.

QNAP Systems Inc. patched vulnerabilities that could have enabled attackers to take control of its network-attached...

storage products. What were the QNAP vulnerabilities and how serious were they?

The most serious of the QNAP vulnerabilities were found in version 4.2.4 of QTS, the Linux-based operating system running on QNAP network-attached storage (NAS) devices. All the devices were connected to a network that provided access to a heterogeneous group of clients.

These vulnerabilities -- tracked as CVE-2017-6359 and CVE-2017-6360 -- received the highest Common Vulnerability Scoring System (CVSS) severity score of 10, meaning the vulnerabilities were network-exploitable with low complexity attacks and no authentication required. The attacker could exploit the authentication bypass vulnerability by gaining root access to take control of the affected devices.

With little knowledge, the attacker could automate the exploitation of command injection flaws and attack a QNAP NAS device. The device had to be connected to the internet for the exploitation to happen, and when it did, sensitive information could be disclosed and maliciously modified.

The victims would not be able to access the system resources that they needed to properly manage the devices. The system would completely shut down. All data would be lost if the victim didn't regularly back it up.

Another of the QNAP vulnerabilities was a poorly encrypted domain administrator password. This vulnerability -- tracked as CVE-2017-5227 -- received a medium CVSS severity score of five out of 10.

The attacker could see the password's location in the Linux configuration file. This file could reveal that the NAS device joined as an Active Directory domain. Legitimate Linux clients are authenticated to Active Directory via several Pluggable Authentication Modules that are part of most Linux distributions. This type of authentication is part of the Linux-Window integration.

According to QNAP, the flaws were patched with the release of QNAP QTS 4.2.4 build 20170313. The update patched privilege escalation, command injection, SQL injection, cross-site scripting, clickjacking, credentials management, access bypass and various memory corruption vulnerabilities. Newer versions of QNAP QTS are now available.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Check out the ultimate guide to network-attached storage

Find out how to combat NAS device security risks

Learn how USBee turns USB storage devices into covert channels

This was last published in November 2017

Dig Deeper on Network device security: Appliances, firewalls and switches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What has been your experience with QNAP NAS and security?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close