QNAP Patches Critical Vulnerabilities in NAS Appliances

QNAP Patches Critical Vulnerabilities in NAS Appliances

QNAP addresses multiple vulnerabilities in its product line affecting Surveillance Station and Photo Station applications. These vulnerable software applications are powered by Network Attached Storage (NAS), a storage management technology powering file sharing, virtualization, and surveillance applications.

Surveillance Station is a network surveillance Video Management System (VMS) application that helps users manage and monitor IP cameras. Photo Station software application is used to upload images to NAS devices later used to view remotely. However, the end adversary target is always the NAS device powering both the vulnerable software applications.


Surveillance Station Critical Remote Code Execution (RCE) Vulnerability | CVE-2020-2501

A stack-based buffer overflow issue causing remote code execution vulnerability in QNAP NAS devices running the Surveillance Station application. QNAP’s security adversary says

If exploited, this vulnerability allows attackers to execute arbitrary code.

On successful exploitation, attackers can persist inside the network and may take control of the running security service and anti-malware programs. QNAP has already fixed the vulnerability, and patches are released for the following versions.

Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS)
Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)


Photo Station Cross-Site Scripting (XSS) Vulnerability | CVE-2020-2502

An XSS vulnerability exists in QNAP NAS running earlier versions of the Photo Station software application. QNAP’s security adversary says

If exploited, this vulnerability allows remote attackers to inject malicious code.

On successful exploitation, attackers can steal sensitive information by tricking the victim’s vulnerable application by malicious programs. The patch is available, and the vendors fixed the issue in Photo Station 6.0.11 and later.


Updating Vulnerable QNAP Applications

This workaround can be referred to update both the Surveillance Station and Photo Station to the latest versions.

Note: Users require admin privilege in NAS devices to update the software applications by following
below steps

Note: Surveillance Station or Photo Station should be placed instead of Application Name.

Note: The Update button is not available if your version is already up to date.

  1. Log on to QTS as administrator.
  2. Open the App Center and search for the Application Name.
  3. Click Update (A confirmation message appears)
  4. Click OK

Now your application is successfully updated.


SanerNow software deployment capability can be used to install executables/scripts.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments