Patch For Probable Safety
Two separate security firms discovered security flaws in QNAP’s firmware, version 22.214.171.1246, back in October and November of 2020. As is common, they gave four months grace to allow QNAP to develop and distribute a fix for the flaws and that time has now expired so they published their results, which The Register posted details on.
QNAP released firmware version 126.96.36.1990, last Thursday which addresses the command injection vulnerability as well as a Apache HTTP server vulnerability and they disable Wi-Fi ad-hoc mode to boot. The second flaw was not specifically addressed in the latest update, however ThreatPost suggests it was addressed in a previous patch, and simply wasn’t mentioned in the notes.
As QNAP waited until the day set for the independent security firms public disclosure it is not clear yet if these updates will secure you against the flaws. The disclosure only included an overview of the flaws, as there are a huge amount of vulnerable devices so we will have to wait for their confirmation.
That is no reason not to update your NAS web servers or DLNA servers as soon as you can, being able to write arbitrary files to your server or triggering code execution remotely are very bad things and any update is better than none!
ThreatPost claims this flaw is addressed in an updated version of QNAP's media server app, Multimedia Console 1.3.4, though the update makes no mention of any security fixes.