QNAP fixes even more serious security flaws on its NAS devices

QNAP has released a series of new patches which fix multiple high severity vulnerabilities that impact its NAS devices running the QES, QTS and QuTS hero operating systems.

In total, this latest round of security updates patch six vulnerabilities that affect older versions of the NAS maker’s FreeBSD, Linux and 128-bit ZFS based operating systems.

TIM Security Red Team Research, Lodestone Security and the CFF of Topsec Alpha Team discovered and reported these security bugs to QNAP which if left unpatched, could be used to carry out command injection or cross-site scripting (XSS) on the company’s NAS devices.

While the XSS vulnerabilities could allow a remote attacker to inject malicious code into vulnerable versions of QNAP’s apps, the command injection bugs could be used to elevate privileges, execute arbitrary commands or even take over a device’s underlying operating system.

NAS vulnerabilities

Although QNAP has issued patches for six different vulnerabilities in its software, all of these issues have already been fixed in QES 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 build 20201123 and later and QuTS hero h4.5.1.1491 build 20201119 and later.

This means that updating the software on your NAS device is the easiest and fastest way to address all six vulnerabilities. To do so, you’ll need to log on to QES, QTS or QuTS hero as an administrator and go to Control Panel > System > Firmware Update. Under the Live Update section, you’ll need to click on Check for Update to have QES, QTS or QuTS Hero download and install the latest available update.

Additionally, the update can also be downloaded and installed manually by visiting the Support Download Center on QNAP’s website.

As NAS devices are often used to backup sensitive files and data, keeping them updated is of the utmost importance to prevent hackers from exploiting any known vulnerabilities.

Via BleepingComputer

Access the original article
Subscribe
Don't miss the best news ! Subscribe to our free newsletter :