QNAP released a number of vulnerabilities today. What is interesting about these is that the build dates are from December 22 and 23 2021 and they are just hitting the security advisory list today January 1, 2022. That is about three weeks late. Given that, we wanted to point out two features one can use to get the newest builds and effectively do the mitigations that QNAP is disclosing.
Mitigating Today’s and Future Vulnerabilities
We are going to post the vulnerability information below. With two high and one medium vulnerability, and two of them are covering multiple CVEs, QNAP’s suggested course of action is to update to the latest version or at least a newer version.
As a result, one can do two things to mitigate these in the future. Turn on firmware auto-updates and turn on app auto-updates.
Turn on Firmware Auto-Update
The firmware auto-updating one may be a bit more controversial since there are reasons users will not update NAS firmware regularly. For many that just use the NAS as a store for files when they are working, this is likely something that you would want to do.
Here you can go to the Control Panel -> System -> Firmware Update -> Auto Update and have the system install new firmware automatically.
Turn on App Auto-Update
On the two vulnerabilities for QNAP apps, the above setting will not auto-update. Instead, one must go to the AppCenter and turn on Auto Update there.
Here you go AppCenter then hit the settings gear on the top right and go to Update. There you can set an update frequency and choose to install every update or only recommended ones.
Set Update Notifications
For both of these, you can also set a notification. Many QNAP users do not know this, but QNAP has a very easy method to send notifications for events, including updates. Here is the notification for firmware updates:
Here is the start of the app update notification flow:
You can even turn on e-mail and integrate with services like Twilio and send SMS messages when there is an update available.
That example uses Gmail, but there are other options in the flow as well. You can also send the notification to multiple targets.
It would be nice if the update to vulnerability timing was shorter. For users that need a reason to update, something like having two high-risk fixes and one medium in a new version would be a good reason to hit the update button. Still, we just wanted to show that there is actually a lot of functionality one can use to protect themselves. This is similar to what we recently showed in Secure Your QNAP NAS Immediately From Latest Wave of Attacks. These NAS units have a lot of features, but they often need to be implemented by users.
Vulnerabilities listed below.
The Three QNAP Vulnerabilities Disclosed 2022-01-13
Here are the three vulnerabilities:
ID QSA-21-57 (Source: link)
A vulnerability has been reported to affect QTS 4.5.3 and later versions, and QuTS hero h4.5.3 and later versions. If exploited, the vulnerability allows attackers to run arbitrary code in the system.
We have already fixed the vulnerability in the following versions of QTS and QuTS hero:
- QTS 126.96.36.1991 build 20211221 and later
- QTS 188.8.131.522 build 20211223 and later
- QuTS hero h184.108.40.2062 build 20211222 and later
ID QSA-21-59 (Source: link)
A stack buffer overflow vulnerability has been reported to affect QNAP NAS running QVR Elite, QVR Pro, and QVR Guard. If exploited, this vulnerability allows attackers to execute arbitrary code.
We have already fixed this vulnerability in the following versions:
- QVR Elite 220.127.116.11 (2021/12/06) and later
- QVR Pro 18.104.22.168 (2021/12/06) and later
- QVR Guard 22.214.171.124 (2021/12/06) and later
ID QSA-21-60 (Source: link)
A cross-site scripting (XSS) vulnerability and an open redirect vulnerability have been reported to affect QNAP NAS running QcalAgent. If exploited, the vulnerabilities allow attackers to inject malicious code and redirect users to an untrusted site that contains malware.
We have already fixed these vulnerabilities in the following versions of QcalAgent:
- QcalAgent 1.1.7 and later