QNAP addresses multiple vulnerabilities in its product line affecting Surveillance Station and Photo Station applications. These vulnerable software applications are powered by Network Attached Storage (NAS), a storage management technology powering file sharing, virtualization, and surveillance applications.
Surveillance Station is a network surveillance Video Management System (VMS) application that helps users manage and monitor IP cameras. Photo Station software application is used to upload images to NAS devices later used to view remotely. However, the end adversary target is always the NAS device powering both the vulnerable software applications.
Surveillance Station Critical Remote Code Execution (RCE) Vulnerability | CVE-2020-2501
A stack-based buffer overflow issue causing remote code execution vulnerability in QNAP NAS devices running the Surveillance Station application. QNAP’s security adversary says
If exploited, this vulnerability allows attackers to execute arbitrary code.
On successful exploitation, attackers can persist inside the network and may take control of the running security service and anti-malware programs. QNAP has already fixed the vulnerability, and patches are released for the following versions.
Surveillance Station 22.214.171.124.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS)
Surveillance Station 126.96.36.199.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)
Photo Station Cross-Site Scripting (XSS) Vulnerability | CVE-2020-2502
An XSS vulnerability exists in QNAP NAS running earlier versions of the Photo Station software application. QNAP’s security adversary says
If exploited, this vulnerability allows remote attackers to inject malicious code.
On successful exploitation, attackers can steal sensitive information by tricking the victim’s vulnerable application by malicious programs. The patch is available, and the vendors fixed the issue in Photo Station 6.0.11 and later.
Updating Vulnerable QNAP Applications
This workaround can be referred to update both the Surveillance Station and Photo Station to the latest versions.
Note: Users require admin privilege in NAS devices to update the software applications by following
Note: Surveillance Station or Photo Station should be placed instead of Application Name.
Note: The Update button is not available if your version is already up to date.
- Log on to QTS as administrator.
- Open the App Center and search for the Application Name.
- Click Update (A confirmation message appears)
- Click OK
Now your application is successfully updated.
SanerNow software deployment capability can be used to install executables/scripts.