[German]NAS system vendor QNAP has released security updates for its firmware. In addition, an app is disabled for security reasons, because remote attackers can inject code into the firmware of the NAS storage. It seems that there is no security update for this vulnerability yet and the app has been disabled. Additionally, it seems that users are reporting issues after upgrading to QTS 5.0. Here is a collective post on these issues.
Currently I can't find it anymore, but the days I saw a request on Facebook from a user whose QNAP system had been compromised even though the firmware was up to date. It came to my mind when I saw the following tweet from German IT magazine heise on Friday last week.
Vulnerability in QTS and QuTS hero
In security advisory QSA-21-50, dated November 19, 2021, QNAP discloses a vulnerability in QNAP NAS devices running QTS and QuTS hero. It is a heap-based buffer overflow vulnerability that affects QNAP NAS devices with Apple File Protocol (AFP) enabled in QTS or QuTS hero. If this vulnerability is exploited, attackers can execute arbitrary code. QNAP has addressed this vulnerability through firmware updates to the following versions:
- QTS 5.0.0.1808 build 20211001 and later
- QTS 4.5.4.1800 build 20210923 and later
- QTS 4.3.6.1831 build 20211019 and later
- QTS 4.3.3.1799 build 20211008 and later
- QuTS hero h5.0.0.1844 build 20211105 and later
- QuTS hero h4.5.4.1813 build 20211006 and later
The manufacturer recommends a timely update of the affected NAS firmware.
Vulnerability in Multimedia Console
With a release date of November 12, 2021, QNAP has also published security advisory QSA-21-45. Multimedia Console vulnerability CVE-2021-38684 exists, this vulnerability allows attackers to execute arbitrary code. This vulnerability has been fixed in the following versions:
- Multimedia Console 1.4.3 (2021/10/05) and later
- Multimedia Console 1.5.3 (2021/10/05) and later
Again, an update to the relevant version of the Multimedia Console was recommended.
Unpatched vulnerability
German site heise pointed out in this article that there is an unpatched Reflected XSS vulnerability (CVE-2021-38681) in Ragic Cloud DB. QNAP has pointed out in security advisory QSA-21-48 that the reflected cross-site scripting (XSS) vulnerability allows remote attackers to inject malicious code. Since there is no security update yet, Ragic Cloud DB has already been disabled and removed from QNAP App Center until a security patch from Ragic is available.
QTS 5.0 issues
I can't evaluate it since I don't use a QNAP NAS drive. I noticed some postings on Facebook in the user group complaining about problems after upgrading to QTS 5.0. Here is a complaint about problems in QTS 5.0:
Dared to update to qts 5 today and promptly phpmyadmin went bye-bye. No more accesses to the DB possible.
The app is still on the interface and can be started. However, when entering the password, an error message appears.
In the control panel under applications the entry SQL Server is now also missing.
A downgrade to qts 4.5.4 brought the old state back. MySQL is running again.
One user gave the advice to wait for QTS 5.0x or 5.1. Another user wrote that the problem is known because the MariaDB5 server from the Appstore is installed during the upgrade. When transferring the old data, there are probably problems with timeouts. The error can be fixed with the following command on the SSH console:
/usr/local/mysql/bin/mysqld --tc-heuristic-recover=ROLLBACK --basedir /usr/local/mysql --datadir /share/CACHEDEV1_DATA/.@qmariadb/data
After that used the command:
/etc/init.d/mariadb5.sh stop
and the command
/etc/init.d/mariadb5.sh start
and everything should work again. It would be important to adapt the path to the circumstances of the NAS (CACHEDEV1 could also be MD0_DATA for example). Another user writes in another post:
Was again so stupid and have already updated to OS 5! have only problems!!!
However, this is not very informative. There are also two factions in the thread: I have no problems, and the second faction: I also have only problems. Question: Are there people who have problems with QTS 5.0 and can name them?
