Page 1 of 1

[QNAP] Security Alert for Firmware Update Vulnerabilities

Posted: 19 Jan 2017, 18:01
by micke
Release date: January 18, 2017
Last updated: January 19, 2017
Bulletin ID: NAS-201701-18
Severity rating: Medium
Affected products:
  • All QNAP NAS running QTS
Summary

QNAP is currently addressing several vulnerabilities reported by F-Secure, a cyber security company. Based on the proof-of-concept exploit, successful attacks during the firmware update process may grant attackers administrator access to the NAS. However, these vulnerabilities are not easily exploited if the NAS is connected to a wired environment.

We will update QTS and then release fixes as soon as possible. In the meantime, users can choose to disable automatic updates and avoid clicking the "Check for Update" button on the Live Update tab. Instead, QNAP recommends performing a manual update instead from the Firmware Update tab.

Disabling Live Update
  • 1. Log on as administrator to the QTS web console.
    2. Go to "Control Panel" > "Firmware Update" > "Live Update".
    3. Deselect "Automatically check if a newer version is available when logging into the NAS web administration interface".
    4. Click "Apply".
https://www.qnap.com/en/support/con_show.php?cid=109