Overview of the QNAP Zero-Days
Several QNAP (Quality Network Appliance Provider) Operating Systems for Network Attached Storage (NAS) zero-day vulnerabilities have been discovered and are now impacting over 80,000 devices. These were discovered as zero-day vulnerabilities and are still unpatched for two of the four affected Operating Systems. QNAP is responsible for providing network-attached storage appliances used for sharing files, storage management and surveillance applications, and virtualization. Basically, QNAP is the spot to back up all of your important files, photos, media, and music, an overall storage hub.
The vulnerabilities can be traced through CVE-2022-27597 and CVE-2022-27598, which are memory access violations that could cause unstable code and provide a patch for an authenticated cybercriminal to execute arbitrary code. If these are exploited, the vulnerability allows remote authenticated users to get secret values.
These vulnerabilities affect the QTS, QuTS hero, QuTScloud, and QVP OS. It appears QNAP has released fixed versions in QTS version 5.0.1.2346 build 20230322 and later, and the QuTS hero version h5.0.1.2348 build 20230324 and later. Unfortunately, both the QuTScloud and QVP OS remain unpatched, but QNAP is working on a fix for these flaws.
If your device is affected, you can secure it by regularly updating your system to the latest version, which is a common best practice used for many appliances and software versions. If these vulnerabilities have impacted your device, follow the steps below to update or visit the QNAP website for more information.
How to update your QTS, QuTS hero, or QuTScloud device:
- First, log in to QTS, QuTS hero, or QuTScloud as an administrator.
- Then, go to Control Panel > System > Firmware Update.
- Finally, under Live Update, click Check for Updates. This will automatically choose the latest version and install it. You can also download the update from the QNAP website. Go to Support > Download Center and perform a manual update for your device.
How to update your QVP (QVP Pro Appliances):
- First, log in to QVP as an administrator.
- Then, go to Control Panel > System Settings > Firmware Update.
- Next, select the Firmware Update tab.
- After, click Browse to upload the latest firmware file.
- Lastly, click Update System to install the update. (You can also download the latest firmware file for your specific device from https://qnap.com/go/download.)
If your organization could benefit from managed security services to help keep your network and devices secure, consider speaking with an expert at M.A. Polce for help. As a managed service provider (MSP) and managed security service provider (MSSP), we specialize in a wide range of services, including IT support, network security, professional IT services, cyber risk management & compliance, consulting, and more. Contact us today to learn more about how we can assist your organization.
Sources
https://www.qnap.com/en-us/security-advisory/qsa-23-06
https://www.qnap.com/en-us/security-advisories?ref=security_advisory_details