QNAP Caught Sleeping On Vulnerabilities For Four Months

Source: The Register QNAP Caught Sleeping On Vulnerabilities For Four Months

Patch For Probable Safety

Two separate security firms discovered security flaws in QNAP’s firmware, version 4.3.6.1446, back in October and November of 2020.   As is common, they gave four months grace to allow QNAP to develop and distribute a fix for the flaws and that time has now expired so they published their results, which The Register posted details on.

QNAP released firmware version 4.3.6.1620, last Thursday which addresses the command injection vulnerability as well as a Apache HTTP server vulnerability and they disable Wi-Fi ad-hoc mode to boot.  The second flaw was not specifically addressed in the latest update, however ThreatPost suggests it was addressed in a previous patch, and simply wasn’t mentioned in the notes.

As QNAP waited until the day set for the independent security firms public disclosure it is not clear yet if these updates will secure you against the flaws.  The disclosure only included an overview of the flaws, as there are a huge amount of vulnerable devices so we will have to wait for their confirmation. 

That is no reason not to update your NAS web servers or DLNA servers as soon as you can, being able to write arbitrary files to your server or triggering code execution remotely are very bad things and any update is better than none!

ThreatPost claims this flaw is addressed in an updated version of QNAP's media server app, Multimedia Console 1.3.4, though the update makes no mention of any security fixes.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!