Download Firmware QNAP TS-xx0/xx2/xx9 4.2.4 build 20170313

QNAP has released version 4.2.4 of the firmware on various models of its NAS devices, and now the first update with some bug fixes is also available. Since version 4.2, the interface has been refreshed and security improved. For example, a two-step login procedure can now be set up, via a login code generated with an app. In addition, media can now be streamed to several devices simultaneously and several improvements have been made regarding virtualization and storage management. The complete changelog is up this page to find. This release fixes the following issues:

Bug fixes

• Fixed an issue where an error message would appear when the Docker Certificate expired due to users manually setting the time forward.
• Fixed an issue where RTRR FTP backup jobs would not accept passwords that contained more than 16 characters.
• Fixed an issue where users could not upload files larger than 4 GB in File Station when using Internet Explorer 11.
• Fixed an issue where bluetooth devices would disappear from the device list after Container Station was installed and enabled.
• Fixed an issue where users could not connect a Mac to the NAS when using L2TP/IPsec VPN service.
• Fixed an issue where the System Logs would incorrectly display VPN connections as PPTP when PPTP was enabled.
• Fixed an issue where unexpected errors would occur when key combinations were used consecutively in HybridDesk Station.
• Fixed an issue where users could not use Affinity Photo to edit the photos in NAS shared folders mounted on OS X via AFP.
• Fixed an issue where the system would not automatically check for available firmware updates when users logged in after setting the date format as DD/MM/YYYY.
• Fixed a configuration file vulnerability that could be exploited to compromise the security of sensitive data. (CVE-2017-5227)
• Fixed a stack overflow vulnerability that could be exploited to gain control of the EIP register.
• Fixed a SQL injection vulnerability that could be exploited to execute arbitrary SQL commands
• Fixed a command injection vulnerability in transcoding that could be exploited to execute unauthorized commands.
• Fixed a heap overflow vulnerability.
• Fixed a cross-site scripting vulnerability that could be exploited to inject arbitrary JavaScript commands.
• Fixed 2 stack overflow vulnerabilities that could be exploited to cause segmentation faults and gain control of the EIP register.
• Fixed a command injection vulnerability that could be exploited to execute unauthorized commands. (CVE-2017-6361)
• Fixed a command injection vulnerability that could be exploited to gain administrator privileges and unrestricted access to sensitive data. (CVE-2017-6360)
• Fixed a command injection vulnerability that could be exploited to gain the administrator privileges and execute unauthorized commands. (CVE-2017-6359)
• Fixed an access control vulnerability that would incorrectly restrict authorized user access to resources.
• Fixed 2 stack overflow vulnerabilities.