QNAP Patches Firmware Update Injection Flaw

A while ago, F-Secure Corp.’s researchers found a flaw in QNAP’s operating system that could allow a hacker to gain full administrator access to your system, but luckily it has now been patched. That means that you should check you QNAP system if it has the latest firmware installed – but beware how you check it this time.

The investigation by the researchers found that attackers could use vulnerabilities in the device’s firmware update process to seize administrative control. This degree of control would give them the same rights as legitimate administrators, allowing attackers to do things like install malware, access content and data, steal passwords, and even remotely execute commands.

Harry Sintonen, senior consultant, security, F-Secure, developed a proof-of-concept exploit to confirm that these vulnerabilities could be exploited by attackers. “Many of these types of vulnerabilities are not severe on their own. But attackers able to put them together can cause a massive compromise,” said Sintonen. “Successful hackers understand that even small security oversights can become big opportunities with the right know-how.”

Sintonen’s proof-of-concept begins when the device sends unencrypted requests for firmware updates back to the company. This lack of encryption allows potential attackers to intercept and modify the response to that request. While it sounds simple, it isn’t and it requires quite a few skills to perform, and that’s the silver lining in the original story.

“In this case, attackers first need to put themselves between the update server and user, and this extra step is enough work to discourage many opportunistic or low-skilled attackers,” said Kauhanen.

Now that we got the background information, back to the story at hand. Since the possible exploitation occurs through the automated update process, you should update your QNAP NAS/NVR manually to QTS 4.2.3 build 20170121 or 20170124. Which version depends on your NAS device and the latter build is for the TS-809 and TS-809U models while the first mentioned build is for the rest. The manual firmware update is relatively simple and done in five simple steps.

1. Download the package from the QNAP download page
2. Log on as administrator to the QTS web console.
3. Go to ‘Control Panel’ > ‘System’ > ‘Firmware Update’ > ‘Firmware Update’.
4. Click ‘Browse’ and then locate the package on your computer.
5. Click ‘Update System’.

It’s nice to see companies acting quickly on such issues and releasing the appropriate patches.