QNAP’s Security Team Caught Napping

4 Out Of 15 Is A Nasty Number Of Fixes

The QNAP QTS OS for their NAS devices is in the news, and not in a good way.  Security researchers discovered 15 flaws between December 12, 2023, and January 23, 2024 and as of today they have only addressed four of them.  This delay has led to the vulnerabilities being publicly disclosed so that owners of QNAP devices are aware of the vulnerabilities their devices have.  On the plus side the disclosure has led to five more patches being released today, including one for the zero day remote code execution vulnerability.

Many of the flaws are do to improper usage of the strcpy command, which can be leveraged to cause a buffer overflow and lead to code execution.  There are also ones that allow an attacker to defeat MFA and a handful of other attack vectors.  QNAP have overcome what they are calling coordination issues to release patches and you should definitely grab them from the link at Bleeping Computer.  It might be worth checking back to see if there are updates addressing the remaining six flaws.


Leave a Reply