Hundreds of thousands of QNAP devices vulnerable to remote takeover attacks

A firmware patch has been released last year, in November.

qnap.jpg

Image: QNAP

A Taiwanese security researcher published details today about three vulnerabilities in the firmware of QNAP network-attached storage (NAS) devices.

Henry Huang, the security researcher, said the bugs reside in Photo Station, a photo album app that comes preinstalled with all recent versions of QNAP NAS systems.

Huang says the Photo Station app is installed on around 80% of all QNAP NAS systems; a number the researcher believes to be around 450,000 devices, based on a rough estimate using results provided by the Shodan IoT search engine.

qnap-photo-station.png

QNAP Photo Station app

Image: QNAP

The Taiwanese security researcher says all these QNAP systems are vulnerable to remote takeover attacks.

In a Medium blog post today, Huang published in-depth technical details about three of four vulnerabilities he found in the QNAP devices. Three impact the Photo Station app, while a fourth impacts the QTS file manager app.

1) CVE-2019-7192 (CVSS 9.8) (Photo Station bug)
2) CVE-2019-7194 (CVSS 9.8) (Photo Station bug)
3) CVE-2019-7195 (CVSS 9.8) (Photo Station)
4) CVE-2019-7193 (CVSS 9.8) (QTS app bug, unrelated)

The researcher said the three Photo Station bugs can be chained together to bypass authentication (bug #1), insert malicious code in the Photo Station app PHP session (bug #2), and then install a web shell on unpatched QNAP devices (bug #3).

Huang says that since the Photo Station app runs with root privileges, attackers can exploit the three bugs to take full control over QNAP devices.

Bugs patched last year

The researcher said he found the four bugs last year and reported the issues to QNAP in June.

Following his report, QNAP released security updates for both the Photo Station and QTS apps in November 2019.

Instructions on how to apply the security updates are available on the QNAP support portal, here. Updating the QTS app requires a QNAP firmware upgrade, while the Photo Station app update is available via the QNAP App Center.

If device owners can't update right away, it's recommended that they disconnect devices from the internet to avoid attacks from botnets or ransomware gangs.

However, since NAS systems have been designed for the sole purpose of being available over the internet, upgrading their firmware and the Photo App respectively is the recommended course of action and will lead to the least disruption to all QNAP users.