Geeks for your information News Privacy & Security News v
Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack
Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack
silversurfer Offline
Staff Member
******
Posts: 3,885
Threads: 3,283
Thanks Received: 5,065 in 3,838 posts
Thanks Given: 6,200
Joined: 12 September 18
#1
Information  02 April 21, 17:41
Quote:Two critical zero-day bugs affect legacy QNAP Systems storage hardware, and expose devices to remote unauthenticated attackers.
 
The bugs, tracked as CVE-2020-2509 and CVE-2021-36195, impact QNAP’s model TS-231 network attached storage (NAS) hardware, allowing an attacker to manipulate stored data and hijack the device. The vulnerabilities, also impact some non-legacy QNAP NAS gear. However, it is important to note that patches are available for non-legacy QNAP NAS hardware.
 
A patch for the now-retired QNAP model TS-231 NAS device, first released in 2015, is scheduled to be released within weeks, QNAP representatives told Threatpost.
 
Patches for current model QNAP devices need to be downloaded from the QNAP download center and applied manually.
 
Both bugs were disclosed on Wednesday by SAM Seamless Network researchers, who released limited technical details. The disclosure was ahead of official QNAP public disclosure of the vulnerabilities, and was in line with SAM Seamless Network’s disclosure policy of giving a vendor three months to disclose vulnerability details. Both flaws were found in the Oct. and Nov. 2020 timeframe and made public Wednesday.
 
“We reported both vulnerabilities to QNAP with a four-month grace period to fix them,” researchers wrote. “Due to the seriousness of the vulnerabilities, we decided not to disclose the full details yet, as we believe this could cause major harm to tens of thousands of QNAP devices exposed to the internet.”
 
QNAP would not specifically say how many additional legacy NAS devices may be impacted. The company, in a statement to Threatpost said: “There are many hardware models of NAS in QNAP. (See: https://www.qnap.com/en/product/eol.php). In the list, you can find the models, the period of hardware repair or replacement, the supported OS and App updates and maintenance and the status of technical support and security updates. Most of the models, the security update could be upgraded to the latest version, i.e. QTS 4.5.2. However, some old hardware models have limits of firmware upgrade. For example, TS-EC1679U-SAS-RP could support only the legacy QTS 4.3.4.”

Read more: Legacy QNAP NAS Devices Vulnerable to Zero-Day Attack | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Malwarebytes 5.2.10.182
Malwarebytes 5.2.1...Mohammad.Poorya — 16:46
Microsoft Defender Antivirus security in...
Microsoft Defender...harlan4096 — 13:44
AnyDesk 6.4.3 for Linux
AnyDesk 6.4.3 for ...harlan4096 — 09:51
AnyDesk 9.5.0 for Windows
AnyDesk 9.5.0 for ...harlan4096 — 09:51
Notepad++ v8.7.9 released 2025-04-02
Notepad++ v8.7.9 r...harlan4096 — 09:49

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (44)wapedDow
avatar (48)oapedDow
avatar (41)Sanchowogy
avatar (45)MeighGoask
avatar (46)creatralGuelm
avatar (37)procnipsut
avatar (43)accenwibly
avatar (40)ahyvily
avatar (37)urumahiz
avatar (43)techlignub
avatar (42)Stevenmam
avatar (49)onlinbah
avatar (49)fuspeukChark
avatar (43)werriewWaiNg
avatar (37)Freemanleo
avatar (42)cdoubapKit
avatar (37)lystraPonia
avatar (30)smith8395john
avatar (50)steakelask
avatar (44)Termoplenka
avatar (42)bycoPaist
avatar (48)pieloKat
avatar (42)ilyagNeexy
avatar (50)donitascene
avatar (50)burntLaw
avatar (40)MrDoorsskibheeds
avatar (50)Toligo
avatar (45)Rodneykak
avatar (48)tradeSmode
avatar (38)vemedProkbior
avatar (37)RobertUtelt
avatar (45)JamesZic
avatar (42)Sanfordbup
avatar (37)Der.Reisende

[-]
Online Staff
There are no staff members currently online.

>