QNAP has issued yet another slew of fixes for vulnerabilities affecting their NAS systems, including some with a severity of “high.” If exploited, attackers could fully take over compromised systems.
NAS systems are important because they are often used as backup systems, hosting personal and vital data. Because these systems usually run fully fledged operating systems, they tend to be more exposed and have a larger attack surface.
Four high-severity vulnerabilities affected the QTS and QuTS hero (CVE-2020-2495, CVE-2020-2496, CVE-2020-2497 and CVE-2020-2498), allowing remote attackers to inject malicious code in various components.
Other vulnerabilities (CVE-2020-2494, CVE-2020-2493, CVE-2020-2491) are all about cross-site scripting that also let attackers inject malicious code in different modules, like the Music Station, the Multimedia Console and the Photo Station.
QNAP has been issuing fixes in the past few months to deal with the numerous problems its NAS devices have faced. A couple of months ago, they had to fix a critical vulnerability related to Zerologon, which Iranian hackers are known to use.
In September, attackers hit NAS devices from QNAP with AgeLocker ransomware, prompting the developers to issue a new set of firmware updates.
In July, CISA and NCSC issued a joint advisory regarding a malware string under the name of QSnatch.
“The malware, documented in open-source reports, has infected thousands of devices worldwide with a particularly high number of infections in North America and Europe,” stated the advisory. “Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates.”
In all situations, the most crucial measure users can take is to keep their systems updated to the latest version, including firmware.