QNAP fixes even more serious security flaws on its NAS devices
QNAP has released a series of new patches which fix multiple high severity vulnerabilities that impact its NAS devices running the QES, QTS and QuTS hero operating systems.
In total, this latest round of security updates patch six vulnerabilities that affect older versions of the NAS maker’s FreeBSD, Linux and 128-bit ZFS based operating systems.
TIM Security Red Team Research, Lodestone Security and the CFF of Topsec Alpha Team discovered and reported these security bugs to QNAP which if left unpatched, could be used to carry out command injection or cross-site scripting (XSS) on the company’s NAS devices.
While the XSS vulnerabilities could allow a remote attacker to inject malicious code into vulnerable versions of QNAP’s apps, the command injection bugs could be used to elevate privileges, execute arbitrary commands or even take over a device’s underlying operating system.
Although QNAP has issued patches for six different vulnerabilities in its software, all of these issues have already been fixed in QES 2.1.1 Build 20201006 and later, QTS 18.104.22.1685 build 20201123 and later and QuTS hero h22.214.171.1241 build 20201119 and later.
This means that updating the software on your NAS device is the easiest and fastest way to address all six vulnerabilities. To do so, you’ll need to log on to QES, QTS or QuTS hero as an administrator and go to Control Panel > System > Firmware Update. Under the Live Update section, you’ll need to click on Check for Update to have QES, QTS or QuTS Hero download and install the latest available update.