QNAP has released security updates to fix multiple high severity security vulnerabilities impacting network-attached storage (NAS) devices running the QES, QTS, and QuTS hero operating systems.

In total, the NAS maker has patched six vulnerabilities affecting earlier versions of its FreeBSD, Linux, and 128-bit ZFS based OSs.

The command injection, cross-site scripting (XSS), and hard-coded password security bugs have been reported by TIM Security Red Team Research, Lodestone Security, and the CFF of Topsec Alpha Team.

XSS vulnerabilities fixed today could allow remote attackers to inject malicious code in vulnerable app versions following successful exploitation.

Attackers abusing the command injection bugs could also elevate privileges, execute arbitrary commands on the compromised device or app, or even take over the underlying operating system.

The list of vulnerabilities QNAP patched today includes:

  • CVE-2020-2503: Stored cross-site scripting QES vulnerability — enables remote attackers to inject malicious code in File Station.
  • CVE-2020-2504: Absolute path traversal QES vulnerability — enables attackers to traverse files in File Station.
  • CVE-2020-2505: QES vulnerability — allows attackers to gain sensitive information via generation of error messages.
  • CVE-2016-6903: Command injection QES vulnerability — enables remote attackers to run arbitrary commands in Ishell.
  • CVE-2020-2499: Hard-coded password QES vulnerability — enables attackers to log in with a hard-coded password.
  • CVE-2020-25847: Command injection (QTS and QuTS hero) vulnerability — enables attackers to execute arbitrary commands in compromised apps. 

QNAP says that they have already fixed these security issues in QES 2.1.1 Build 20201006 and later, QTS 4.5.1.1495 build 20201123 (and later), and QuTS hero h4.5.1.1491 build 20201119 (and later).

“To secure your device, we strongly recommend updating your system to the latest version to benefit from vulnerability fixes,” QNAP said in the advisories.

To see the latest updates available for your NAS devices, you can check the product support status.

To deploy the security updates published today by QNAP on your NAS device you have to follow this procedure:

  1. Log on to QES, QTS, or QuTS hero as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update. QES, QTS, or QuTS hero downloads and installs the latest available update.

The update can also be downloaded and installed manually from the Support Download Center on QNAP’s website.

Earlier this month QNAP fixed another series of security issues affecting NAS devices running vulnerable versions of QTS and potentially leading to device takeover after successful exploitation.

NAS devices are frequently targeted by attackers attempting to steal sensitive documents or deploy malware payloads given that they are commonly used for backup and file sharing.

QNAP warned customers in October that some versions of the QTS OS are affected by the critical Windows ZeroLogon vulnerability if the NAS devices were configured as domain controllers.

QNAP also alerted customers in September of ongoing AgeLocker ransomware attacks targeting publicly exposed NAS devices by exploiting older Photo Station versions.

Qihoo 360’s Network Security Research Lab (360 Netlab) said in August that attackers were also scanning for vulnerable NAS devices trying to exploit a remote code execution (RCE) firmware vulnerability fixed more than three years ago, in July 2017.