Waiting for patches: Security researchers investigate NAS system Qnap OTS
Security researchers have discovered 15 vulnerabilities in the Qnap QTS NAS operating system. So far, not all gaps have been closed.
(Image: Artur Szczybylo/Shutterstock.com)
Network-attached storage (NAS) from Qnap are vulnerable and, in the worst case, attackers can execute malicious code. Although there are already security updates, the developers have not yet solved all security problems. This includes, for example, a security gap for which exploit code is already available. Attacks could therefore be imminent.
Patch what you can
During an analysis of the Qnap QTS NAS operating system, security researchers from Watchtowr discovered a total of 15 security vulnerabilities. The results are detailed in a recently published report. They state that Qnap has so far closed four of the gaps.
The NAS manufacturer is currently investigating six vulnerabilities, the researchers report. No further information is currently available for the remaining vulnerabilities. In addition, although there are already some CVE numbers for the vulnerabilities, a classification of the threat level is still pending.
Possible attacks
Qnap classifies some vulnerabilities already closed in April of this year(QTS 5.1.6.2722 build 20240402 and QuTS hero h5.1.6.2734 build 20240414) as "medium". In most cases, attackers need access to a valid NAS account and network access to exploit the vulnerabilities.
Attacks are therefore not possible, without further ado. If this is the case, attackers can send prepared requests due to insufficient checks to execute their own code. They can also bypass two-factor authentication.
It is not yet clear if and when the developers will close the remaining security gaps. An answer to a request from heise Security is still pending. The security researchers recommend that Qnap NAS owners take their devices offline until then.
(des)
