![]() The QNAP firmware updates also included a fix for a high severity cross-site scripting (XSS) vulnerability (CVE-2018-19942) in File Station, the QTS file management app. “Unfortunately, a lot of QNAP owners expose their device to the internet through port forwarding which puts them at very high risk to be hacked,” he explained. Requiring only network access to the vulnerable services, the critical, pre-authenticated flaws highlight an insecure, all-too-widespread way of using the devices, indicated Puyeski. The researcher’s blog post demonstrates a Python script that takes over a NAS device using a simple reverse shell technique. “Both vulnerabilities are simple to exploit if you know the exact technical details (which we didn't publish to protect customers),” Puyeski told The Daily Swig.Ĭatch up on the latest hardware security news With access to the DLNA server, attackers can exploit the flaw to create arbitrary file data, elevating to RCE on the remote NAS, according to Puyeski. Patched in the same batch of firmware updates, the other critical bug (CVE-2020-36195) affects any QNAP NAS devices running Multimedia Console or the Media Streaming add-on. Network-attached pwnageĪ command injection vulnerability (CVE-2020-2509) in QNAP NAS operating systems QTS and QuTS Hero is exploitable via the web server, and is addressed in various QTS versions and builds, plus QuTS Hero h4. ![]() Sold for home and commercial use through subsidiaries in 28 countries, QNAP’s NAS devices are used for file sharing, virtualization, storage management, and surveillance applications. The flaws, which were among a raft of serious bugs addressed by the Taiwanese hardware vendor last week, can both lead to remote code execution (RCE), according to a blog post published on March 31 by security researcher Yaniv Puyeski of SAM Seamless Network. ![]() UPDATED QNAP Systems has patched a pair of critical security vulnerabilities that could allow unauthenticated attackers to take control of its network-attached storage (NAS) devices. Taiwanese vendor also issues mitigations for quartet of other serious flaws ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |