back to article QNAP caught napping as disclosure delay expires, critical NAS bugs revealed

Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files. The vulnerabilities were made known to the Taiwan-based company on October 12, 2020, and on …

  1. Version 1.0 Silver badge

    A safe connection to the Internet

    Turn the power switch off.

    We don't know all details and history of this latest vulnerability but the chances are that it's a result of a feature being updated. Companies that build devices that connect to the Internet, normally invest effort in making them secure, but then features are added and independently updated - resulting is this type of problem.

    The solution? If Google was making these devices then the NAS operating system would be updated every six months, and the NAS web server, DLNA server and other NAS apps would be updated few days like my Android phone updates. - I think that this guarantees Internet security, the bugs aren't fixed - they are just moved every few days to prevent hacking make it difficult to reliably hack the device.

    1. Headley_Grange Silver badge

      Re: A safe connection to the Internet

      QNAP do issue firmware updates pretty frequently for both the OS and apps. Even models that their website says are out of support still get OS security updates. I only use my NAS on my local network and I've locked it out of direct access to the web using my router's firewall and I install updates manually.

    2. Steve K

      Re: A safe connection to the Internet

      My QNAPs receive firmware updates every 6weeks or so.

      The QTS OS also let’s you apply them automatically if you want to.

      The problem here - as with the more serious QNAP vulnerabilities of a couple of years ago - is where people set it up as a NAS or Internet-facing server and never apply updates. That is a problem, regardless of the device/manufacturer/OS.

      1. Michael Wojcik Silver badge

        Re: A safe connection to the Internet

        The problem here is that QNAP let a four-month grace period expire without fixing two critical issues they'd been notified of. People can't install updates to fix issues if those updates aren't available.

      2. Snake Silver badge

        Re: A safe connection to the Internet

        "My QNAPs receive firmware updates every 6weeks or so."

        So does mine.

        But IMHO if QNAP spent a lot less time and energy writing code and adding "features" WE DON'T NEED...

        like Notification Center, because the system log seemed too simple; Multimedia Console which, along with SSD Profiler and other 'goodies' are a forced install even if you don't need them and can never be uninstalled

        ...their programmers would have more time reviewing code and FIXING SECURITY BUGS like QSnatch and these [posted] bugs faster than "dog slow".

        But this is just IMHO of course.

        1. Steve K

          Re: A safe connection to the Internet

          Quite right there!

          QuFirewall anyone? I know it's beta but it's useless anyway!

    3. John Brown (no body) Silver badge

      Re: A safe connection to the Internet

      "Companies that build devices that connect to the Internet, normally invest effort in making them secure, but then features are added and independently updated - resulting is this type of problem."

      That's a common feature across many areas of industry, especially the many service industries. There's always money for new stuff and not enough for maintenance. Making new stuff is cool. Fixing broken stuff is drudgery.

      1. Dimmer

        Re: A safe connection to the Internet

        Qnap was one of the first to have a cost effective box where you could put your own drives in running NFS.

        Adding one as a datastore on your ESX server makes a great backup device for a small or medium size biz.

        Over the years, it has gained more functionality and plugins. I turn all of it off when using it as a nas. I also block all outbound at the firewall or simply don’t put dns or a gateway in the static IP settings and run local.

        Met these guys at a trade show in Vegas when they were just getting started. They were originally sold as devices for video storage and were amazed that they were selling as fast as they were. I told them that not all of us can afford a EMC box and with the constant updates, supported drives and low cost made it a winner.

        It is like a Swiss Army knife, handy but Lock it down when you put it in your network.

        1. Version 1.0 Silver badge

          Re: A safe connection to the Internet

          Sure - the QNAP boxes seem to be pretty good, I've got nothing against them - I just think that bugs like this are unfortunately quite common. If I have to run anything on the Internet then I run it behind a firewall and isolated from the internal network to reduce the risks if it's hacked - I always assume that hacking to possible, I hope that it's not but I'm not going to risk thinking that it's not.

          I do believe that with some decent precautions, your own NAS data is safer than cloud storage.

    4. Anonymous Coward
      Anonymous Coward

      Re: A safe connection to the Internet

      If google was making these devices the would probably mirror your data (or metadata) and it would be hidden in the 108 page t&c's you didn't bother to read.

      1. Anonymous Coward
        Anonymous Coward

        Re: A safe connection to the Internet

        You would have also given permission to Google to use anything they find for their own purpose, without attribution, payment or other compensation.

        Go read the current Google Terms - it's in there. And it's into perpetuity as well.

  2. Anonymous Coward
    Anonymous Coward

    Authentication != Authorization

    QNAP taking a lesson from Synology?

    While not QNAP specific, a user on here named Stoneshop pointed out that Synology NAS's are designed in a way that logging in via SSH treats all users identical as long as they authenticate, thus all users have identical authorization. This drops the security model below that of even vanilla FTP. It appears QNAP is taking the Synology approach.

    For the DNLA part of the article... well DNLA should be entirely erased from any device that cares about security. I don't know the security features of DNLA, but I do know it wasn't designed to have ANY so anything security related is just glued on. Besides that, every DNLA UI I"ve ever seen reminds me of old school xhtml schemea or even x500... they're always bad.

    1. Pascal Monett Silver badge

      Re: thus all users have identical authorization

      Sorry, but on my Synology DS414j I have five user profiles and none of them can do all the same things as any others.

      Each profile has its level of access to the 8 partitions my NAS has, from no access to read access to write access. Not every profile can write on the same partitions.

      It's very granular. I don't understand where Stoneshop is coming from. Of course, if two users have write access to a partition, they both have the same write access, but hey, what do you expect ?

  3. Hull

    TS-231 spinning disks up when OFF

    My TS-231, bought new a few months ago, spins up its two also new 4TB Seagate Ironwolf disks about once a minute even if I explicitly turn it off.

    At the same time, the network indicator lights blink a few times. To make sure this is not some kind of Wake-On-Lan functionality, I've also tried physically disconnecting it from my LAN. No difference.

    I disconnected it from power after that. Anyone with the same behavior?

    1. Headley_Grange Silver badge

      Re: TS-231 spinning disks up when OFF

      I bought an new 4-bay QNAP a few months ago and I don't see this. Make sure you're really turning it off - e.g. poweroff via ssh - and not just hibernating it. Get in touch with QNAP support - I've found them helpful in the past.

  4. Anonymous Coward
    Anonymous Coward

    Confused ...

    ... why do these devices have their own software / firmware? Is there a good reason why they can't just run standard operating and file systems like "proper" file and storage servers? I'm probably missing something here, but what do you get from a QNAP or other consumer device that you don't get from a small server running, say BSD with ZFS, apart from a badge and a (one year?) warranty that probably isn't worth the additional dependency on some other company? (Especially as so many of these "device" companies seem to be rather better at hardware than software.)

    1. Headley_Grange Silver badge

      Re: Confused ...

      Just guessing, but I assume it's based on the fact that many of their desired customers are non-tecchie home and small business users who need extra storage, so the OS is designed to make things like RAID, integrity monitoring, share management, backup, etc. something they can do without needing specialists to set up and support it. I wouldn't be surprised if, in the early days, the proprietary OS's were little more than GUIs for standard server software.

      As others have pointed out, most NAS comes with suites of apps for streaming, backup, web and mail servers, cloud, , surveillance, etc. and if you're going to discriminate against competitors then some autonomy in developing these is probably necessary, for which a proprietary OS is more convenient.

      1. katrinab Silver badge

        Re: Confused ...

        TrueNas Core, formerly known as FreeNAS, is pretty easy to set up if you don't like editing FreeBSD configuration files in a text editor.

        Personally, I do like editing FreeBSD configuration files in a text editor, and find I can do things a lot quicker that way than in a GUI, but I realist it isn't for everyone.

        1. jtaylor

          Re: Confused ...

          TrueNas Core, formerly known as FreeNAS, is pretty easy to set up if you don't like editing FreeBSD configuration files in a text editor.

          Indeed they are. I played with FreeNAS at home then went to ZFS On Linux. Setup was fine. It was the patching and maintenance that put me off. I had to recompile the ZFS Linux kernel module each time, and replacing a failed drive took a little work.

          Life is good since I bought a Synology. It's not that I can't maintain RAID systems: that's part of my job. I just don't want to spend the day fixing Computer Problems for others and then come home to my own.

          If you prefer blinky lights to error logs, if you want more than 4 or 5 drives, if you look at power consumption, NAS hardware starts to look pretty good.

    2. Steve K

      Re: Confused ...

      QNAPs run a Linux distribution plus (I think) BusyBox, but support a load of packaged apps (e.g. media apps, Docker and LXC Container Station). I run pi-hole as a LXC container for example.

      If you want you can package your own apps as QPKG format to install them.

      They are running a proper OS, but it is packaged so that you can run it as an appliance without needing to do much config. What they could do is set the firmware update to be automatic by default, so that sufficiently technical users can disable it to match their desired manual update cadence. This then catches the “set and forget” users whose devices would otherwise never get updated.

    3. Henry Wertz 1 Gold badge

      Re: Confused ...

      "I'm probably missing something here, but what do you get from a QNAP or other consumer device that you don't get from a small server"...?

      Nothing, but you can plug it in and go, more convenient. This article aside, QNAP does release fairly frequent firmware updates for their devices, even old ones, so (unlike some products) this isn't a "roll your own and get updates" or "use stock firmware, and get updates until the product is discontinued then 0 updates".

      I don't have a QNAP, but I do have my wireless access points where I got a wireless access point rather than building one from components (... that said, I did replace the terrible stock firmware with DD-WRT.) Simply for convenience really.

      1. Anonymous Coward
        Anonymous Coward

        Re: Confused ...

        Maybe I wasn't sufficiently clear. I'm not remotely suggesting there isn't a market for end user devices that are just plug and play but I don't understand why the manufacturers who make them try to roll their own firmware and software apparently from scratch so much of the time. I presume they don't fab their own chips ... why are they so averse to assembling their firmware and software from widely available pre-fabricated components? I mean I can see I was probably wrong about QNAP specifically here, but I don't think I'm wrong in general (although I'm open to persuasion).

        I don't know much about commercial NAS precisely because I love ZFS and BSD and I like making my own NAS devices. And, as Henry Wertz 1, says, who wants to build a WAP? Just buy one. But given that DD-WRT is so superior to almost every WAP firmware out there, why are manufacturers of perfectly decent firmware wasting their time writing their own buggy efforts that don't remotely compare when they could just be artfully skinning it to give it their own brand coolness?

        I spend a lot of my time installing camera systems and similar and there's a lot of really very nice hardware out there ruined by absolutely pitiful software. I'm not suggesting QNAP do that - as above, it rather looks like they are one of the good guys - but it does still seem to me like they might be in the minority ...

        I just don't get why so many manufacturers that don't want to put much effort into developing their own code seem to go out of their way to avoid using the much better code that is already freely available ...

  5. FlamingDeath Silver badge

    Have they thought about other hobbies?

    No wonder the shitcunt software houses hide behind a user license agreement, none of them, literally “NONE OF FUCKEN THEM” can produce fault free code.

    At some point in history humans managed to master a lot of things. Fucking software coding is never going to be one of those things

  6. Anonymous Coward
    Anonymous Coward

    QNAP was and is GARBAGE......

    Still remember back 5 years ago when they very rarely updated ANY of their firmware....

    Then suddenly Synology started to take their market share and suddenly updates started to appear for devices.

    next they had ripped off the synology web-style interface.

    top that of with two drive "raid5" setups and other gash implementations, and suddenly every MOFO in business becomes a storage expert.....

    as if it was not bad enough with the router clowns thinking if they can plug in an internet ISP router, it makes them a network expert...

    now we have NAS "specialists" writing web front ends that allow a user to type in their router password and the NAS punches holes in the "firewall" of the ISP router.... and dumb ass top level execs asking why" if i can do it at home for $200us can I not do it in a business for the same amount....

    why must I spend US6K on a firewall....

    1. jtaylor

      QNAP was and is GARBAGE......every MOFO in business becomes a storage we have NAS "specialists" writing web front ends.... execs asking why "if i can do it at home for $200us can I not do it in a business"

      I probably share many of your frustrations, but not about NAS systems and not about QNAP in particular. I love that average people can benefit from RAID and network storage at home or in small businesses. I've been doing this for several years and never saw someone write a custom web front-end for a NAS appliance. Why would they?

      Sure, I've talked with businesses who wanted to know why they couldn't just buy home-consumer-grade stuff for their business. I just ask whether they buy consumer-grade phone service, Internet connection, property insurance, furniture, printers, etc. I let them answer their own question, no drama, no hard feelings. If they're that cheap, I wouldn't work for them anyway.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like