September 29, 2017 |

New NAS vulnerabilities are pretty much as bad as they get

If you have a QNAP network attached storage (NAS) device, you’d better make sure the firmware is updated. Earlier this year, F-Secure senior security consultant Harry Sintonen presented research on a series of vulnerabilities he found in a QNAP network attached storage (NAS) device. Unfortunately, Harry discovered more problems since then. And his newer discoveries […]

If you have a QNAP network attached storage (NAS) device, you’d better make sure the firmware is updated.

Earlier this year, F-Secure senior security consultant Harry Sintonen presented research on a series of vulnerabilities he found in a QNAP network attached storage (NAS) device. Unfortunately, Harry discovered more problems since then. And his newer discoveries are considerably more serious.

“The previous vulnerabilities I found were only useful to an attacker that put themselves between QNAP servers and their targets. That’s a difficult enough step to discourage most attackers from using those vulnerabilities as part of a widespread attack,” said Harry. “But that’s not the case with what I’ve found more recently.”

Harry’s advisory gives a technical deep dive of the new vulnerabilities he found. But basically, they allow attackers to remotely take over the device by using what’s known as a “command injection”. And that’s exactly what it sounds like: an attacker remotely inserts commands for your NAS device to run.

Not only does this allow attackers to access any data the device contains, but they can also do things like delete information, lock out other users (including the device owners), hijack the device for use in further attacks, and pretty much whatever else they want.

Or, as F-Secure cyber security expert Janne Kauhanen puts it, this is pretty much as bad as vulnerabilities get. “These vulnerabilities are easy, attractive targets for attackers. They don’t require any special hacking kung-fu, like special access privileges, to use. Attackers can use vulnerabilities like this to fully compromise the security of the device, as well as the confidentiality of any information it contains.”

And to make matters worse, exposed NAS drives give attackers an opportunity to be a lot more creative about their scams. “A storage device like this can basically be used like an online server,” explains Janne. “It’s easy for attackers to store anything on your device, to run any kind of service from there. From a web shop selling dubious goods or services, to an attack platform launching further attacks all over the internet, leaving you to explain why the attacks originate from your home. Or they can plant some compromising material on your NAS device and use it to blackmail you – what Russians call ‘kompromat’.”

“Online extortion is hugely successful, and in scenarios like this, it doesn’t matter whether or not you actually do something wrong. The only thing standing between you and a motivated extortionist is the security of the devices you depend on,” adds Janne.

So who needs to be worried? Well, Harry used a QNAP TVS-663 during his research to confirm his findings. But the real problem lies in the firmware, which is typically a big problem in a lot of internet-connected devices (routers, webcams, and other inexpensive devices that connect to the internet).

These same vulnerabilities are likely found in any device running the same firmware (in this case, QTS 4.2.3). Harry found almost 90,000 devices that he thinks may be vulnerable. But he limited his search to devices currently online, so the number may be higher.

F-Secure Researcher and QNAP NAS device owner Mikael Albrecht thinks insecure NAS units are a much bigger problem than other Internet of Things (IoT) devices. “As a QNAP owner I’m naturally shocked when reading Harry’s advisory. I’m used to security problems in IoT-gadgets, but an insecure NAS is far more severe. Most of the digital stuff I have produced during my whole life is on that device! Luckily QNAP has a working process for distributing updates, and does it quite frequently.”

And there’s the good news: QNAP has already fixed the problem and released an updated version of the vulnerable firmware. According to Harry’s advisory, they took care of this problem pretty quickly, and much better than the response other device vendors have given when confronted with security problems in their products.

So if you have a QNAP NAS device, you better update it now (or make sure it’s running QTS 4.2.4). In fact, you should consider keeping a closer eye on any internet-connected devices you have to make sure the firmware is updated. The sheer number of IoT devices flooding the market, many of which lack the kind of security people need to keep their information private and safe, gives criminals a lot more ways to attack individuals and companies. So you might as well get in the habit of keeping these devices updated and secure.

F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland

E: geoff.dorrington@f-secure.com

T: 01753 376592

 

 ###

 

Latest Press Releases

August 9, 2019

Serious security issue in F5’s BIG-IP could lead to cyber breaches en masse

F-Secure security consultant Christoffer Jerkeby discovers security flaw with the potential to turn hundreds of thousands of load balancers into beachheads for cyber attacks

July 31, 2019

Finance sector: A one-stop shop for attackers

F-Secure’s Cyber Threat Landscape for the Finance Sector highlights the broad range of threats facing the global finance sector

July 19, 2019

F-Secure’s Managed Detection and Response solution Countercept wins EUR 2m+ deal

Helsinki, Finland—July 19, 2019: F-Secure’s Managed Detection and Response (MDR) solution Countercept has won a multi-year deal worth than more than EUR 2m to defend a major European enterprise customer. “Countercept keeps impressing businesses that know cyber security is critical to their success,” says Tim Orchard, Managing Director, F-Secure Countercept. “It’s not just the technical […]

July 18, 2019

Free tool reveals the true cost of ‘free’ online services — your data and identity

The Data Discovery Portal helps uncover what Facebook, Amazon, Google, and other tech giants know about consumers.

%d bloggers like this: