back to article QNAP vulnerability disclosure ends up an utter shambles

Network-attached storage (NAS) specialist QNAP has disclosed and released fixes for two new vulnerabilities, one of them a zero-day discovered in early November. The Taiwanese company's coordinated disclosure of the issues with researchers at Unit 42 by Palo Alto Networks has, however, led to some confusion over the severity …

  1. Korev Silver badge
    Pirate

    I'd like to replace my Synology and their hardware is looking really behind the times these days. I was eyeing up some QNAPs, but they seem to get hacked too often for my tastes...

    1. FILE_ID.DIZ
      Boffin

      Only relevant if you're planning on hanging one of these off the internet at-large.

      Don't do this, ever. With a QNAP or any other device that is not purposefully designed to be a security/edge device. Even "security/edge" devices have critical vulnerabilities... SSL-VPN seem to be the flavor of the day.

      On a private network with trusted devices on it, they're relatively safe devices for home use.

      Sure, your home computer could catch something and then they move to a vulnerable QNAP...

      1. Lee D Silver badge

        There's no way you should be allowing anything other than authorised traffic between machines and a NAS etc.

        If you have a NAS offering direct storage to users, with web interface, NTP interface, etc. visible to them, then you're doing it wrong.

        Least privilege principle. And there's no excuse "at home" for a professional - even the cheapest routers/switches allow VLANs etc. nowadays and have for decades.

        Put the NAS in its own VLAN (like your CCTV cameras are in their own VLAN, and your smart devices are in their own VLAN, etc.) and only the ports absolutely necessary for the operations are allowed between them. In the home case, literally only the SMB/CIFS port, for example.

        1. Headley_Grange Silver badge

          It's a problem that NAS devices like this are sold with great and useful functionality/apps which the manufacturers push and make relatively easy to run without taking security into consideration. I got mine primarily for backups and media, but when I first got it I came close a couple of times to using it for our website, but bottled it at the last minute when it came to opening the ports to incoming traffic. I simply don't know enough about networks and security to convince myself it was safe. This was years ago before these attacks were common, but I'm so glad I didn't. Paying a few quid a month for hosting is worth it just for peace of mind.

          1. Lee D Silver badge

            Keep your storage as storage, your servers as servers and your clients as clients.

            There's no need for direct access from client to storage, there's no need for servers to provide more than the bare minimum to clients or access storage they don't need, there's no need for storage to offer any services except storage, and servers should be isolated behind a firewall and external access minimised as much as possible.

            DMZ etc. goes back as far as any operating system in modern use, but we seem to have forgotten about it entirely.

            Just my home setup - A Raspberry Pi running Plex has storage on a NAS, which is only accessible read-only by that local Pi, which runs the Plex services, which are only accessible via reverse-proxy from an external server (mainly to get around dynamic IP limitations, no reason that couldn't be a single port-forward to an isolate VLAN).

            If Plex/Pi is compromised, they have read-only access to... my Plex storage. Oh no! They can download 80's sitcoms! Not even the local network.

            If the external server is compromised, they can maybe try to compromise the Pi, if they do so before I notice.

            If my client is compromised, my Plex/Pi and storage are still safe (and backed up, snapshotted, etc. anyway).

            Put barriers between everything, and poke as few holes as possible.

    2. Headley_Grange Silver badge

      I think it's swings and roundabouts. I bought my QNAP many years ago and at the time Synology were getting hit, but it does seem that in the last couple of years QNAP has come under attack a lot more. Might be because they are popular, and hence more of them out in the wild, or because their security isn't very good. Whichever, mine's firewalled with no access to t'internet in either direction. I download and install updates manually.

    3. Snake Silver badge

      QNAP

      This has been going on with QNAP for YEARS

      https://www.dpreview.com/forums/thread/4439774

      I really like their hardware, but their software...?? Ugh :-( Constant bugs, security flaws and unwanted 'features' added as updates. So I moved to Synology the last past hardware update cycle. Synology's mostly-plastic chassis are a letdown after going QNAP "SMB" level, but the software is solid and that is what really is more important.

  2. sitta_europea Silver badge

    Wouldn't touch QNAP with a bargepole.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like