Unpatched QNAP Firmware Vulnerability Lets Mitm Attacker Take Over Nas Devices
F-Secure claims to have discovered three vulnerabilities in QNAP network drives. If an attacker were to combine these three smaller vulnerabilities, they could enforce administrative privileges. The vulnerability has been known to the manufacturer for almost a year.
The vulnerability of the network drives starts with the update process. When the drives contact QNAP to check if they are running the latest firmware, it does so without encryption. When a man-in-the-middle attacker masquerades as QNAP’s server, he can return a fake firmware update that gives an outside attacker administrative privileges. Subsequently, a malicious person can do whatever he wants, such as stealing passwords, for example.
Finnish F-Secure says it reported the vulnerability to QNAP as early as February of 2016, but no update has been released yet. On the F-Secure blog, the company states that QNAP is now working on a solution. That same blog post also explains the technical details of the vulnerability.
The security company has conducted its research and testing with the QNAP TVS-663. However, the company suspects that more than 1.4 million devices are vulnerable. That number is based on how many devices are running on the firmware that has the vulnerability. That is QTS version 4.2 and newer. Affected users are recommended to at least disable the automatic updating of the NAS and manually get any updates from the QNAP site itself.
QNAP Turbo vNAS TVS-663