Serious vulnerabilities in QNAP NAS not patched after almost a year

Three vulnerabilities in a NAS system of the Taiwanese company QNAP have not been patched almost a year after they were reported. The vulnerabilities can provide an attacker full control over the device and this way steal data and passwords, according to security company F-Secure.

F-Secure found the vulnerabilities in the QNAP TVs-663 but also other devices of the manufacturer might be vulnerable. Each vulnerability by itself isn’t insurmountable but the combination of the three is dangerous, according to Harry Sintonen, Senior Security Consultant at F-Secure.

An attacker is able to obtain admin privileges if the 3 vulnerabilities are exploited. With these privileges attackers can install malware, send spam or steal data and passwords.

The culprit is the automatic firmware update feature of the NAS. If an attacker sends a malicious update to the device, there is no check whether the firmware is really from QNAP. This allows an attacker to perform a man-in-the-middle attack and send a malcious firmware to the device to take control over it.

F-Secure reported the vulnerabilities in February last year to QNAP but the company still hasn’t patched them. So far only the TVS-663 is known to be affected, but because QNAP uses the same firmware on multiple models it’s very likely also other QNAP NAS devices are vulnerable.

At least 1.4 million TVS-663 devices are running the firmware, but possibly millions of other QNAP devices are just as vulnerable. QNAP is the 2nd largest NAS supplier of the world. F-Secure recommends QNAP owners running TQS firmware 4.2 (or later) to disable automatic updates and manually check for updates until the issue is fixed.