Two security vulnerabilities within the firmware of QNAP’s Network-Attached Storage (NAS) units which had been delivered to its consideration late final yr are nonetheless but to be mounted in legacy units, stories have claimed.
NAS units by the Taiwanese vendor have proved a well-liked goal for hackers, who actively search out vulnerabilities to focus on merchandise which are accessible over the web.
The tardiness in addressing these critical vulnerabilities is uncharacteristic, as QNAP has been fast on its heels to mitigate the current spate of assaults, from fixing a cross-site scripting vulnerability, to issuing patches to neutralize malware that used the NAS machine to mine cryptocurrency.
We’re taking a look at how our readers use VPN for a forthcoming in-depth report. We’d love to listen to your ideas within the survey beneath. It will not take more than 60 seconds of your time.
“We reported both vulnerabilities to QNAP with a 4-month grace period to fix them. Unfortunately, as of the publishing of this article, the vulnerabilities have not yet been fixed,” researchers at residence security agency SAM Seamless Network famous.
In the publish, SAM claims the vulnerabilities are “severe in nature” and had been shared with QNAP on October 12, 2020, and on November 29, 2020.
One of them is a Remote Code Execution (RCE) vulnerability that impacts any QNAP machine related to the Internet, whereas the opposite is an arbitrary file write vulnerability that exists within the DLNA server on the NAS units.
In an e-mail to SAM, QNAP has clarified that each points have already been mounted for newer QNAP fashions that run the most recent model of the firmware.
However QNAP argues that given the character of the vulnerabilities, they’re nonetheless engaged on a repair for legacy units, which ought to be obtainable within the subsequent few weeks.
Via: The Register