Legacy QNAP NAS devices vulnerable to zero-day cyberattacks

Legacy QNAP NAS devices vulnerable to zero-day cyberattacks

Security researchers have warned legacy QNAP NAS devices are vulnerable to zero-day cyberattacks. Although QNAP patched two vulnerabilities in recent firmware updates, the company acknowledged patches were not yet available for certain legacy devices.

Two Critical zero-day vulnerabilities (CVE-2020-2509 and CVE-2021-36195) could allow a remote unauthenticated attacker to manipulate data and take over QNAP network attached storage (NAS) devices.

Security firm SAM Seamless Network discovered the vulnerabilities in the legacy QNAP TS-231’s latest firmware, version 4.3.6.1446. Each of the vulnerabilities summarized below can result in unauthenticated remote code execution and arbitrary file write:

  • Web server (CVE-2020-2509): allows a remote attacker with access to the web server (default port 8080) to execute arbitrary shell commands, without prior knowledge of the web credentials.
  • DLNA server (CVE-2021-36195): allows a remote attacker with access to the DLNA server (default port 8200) to create arbitrary file data on any (non-existing) location, without any prior knowledge or credentials. It can also be elevated to execute arbitrary commands on the remote NAS as well.

According to Threatpost and SAM, QNAP released firmware updates for newer products. However, patches were not yet available for legacy products.

“A day after our publication we were contacted by QNAP about the security issues mentioned. They have clarified that the issues were already fixed for newer QNAP models (which run QTS version 4.5), but not for legacy models which include the TS-231 and other popular models. According to QNAP, due to the severity of the issues, they are working on a fix for legacy platforms as well, which will be available in the coming weeks,” Yaniv Puyeski of SAM’s security research team wrote in a blog post.

Readers may remember nearly a year ago when approximately 450,000 vulnerable QNAP NAS devices running Photo Station were exposed to the internet.

Last July, cyber criminals also used QSnatch malware to target vulnerable QNAP NAS devices.

Related Articles