Security Problems with QNAP NAS’s

01/07/2020

Qnaps are great for some places, providing a compact all in one easy to use storage solution but they have their problems and you need to know about them and keep on top of them.
Like most IT Tech.

With Qnap devices being so packed with features and functionality there is a massive attack surface for hackers to exploit (more features = more places to get in) and herein lies the problem, too much security and you have no functionality and too many functions gives you security problems, Qnap has to walk a fine line and keep on top of peoples requests for features and the security these features require.

Added to this that Features update (SMB V1-V2-V2.1-V3-V3.02-V3.1.1 Ect) giving you optimizations, speed enhancements and added security to old problems ect
Qnap and other company’s have to stay up to date with these or be left behind meaning you cant access your data and Hackers can.

The ongoing reliance of company’s on IT and remote access especially during this COVID-19 time has brought many old and new problems to light and as company’s attempts to patch out the old problems it can give access or insight in to new places to get in. unfortunately for Qnap it seems to be big enough to get a lot of attention but not big enough yet to catch all these security problems in testing.

Some of the biggest ones out there for the last few months are.

  1. Three Photo Station bugs can be chained together to bypass authentication (that runs with root privileges)
  2. Insert malicious code in the Photo Station app PHP session.
  3. Install a web shell on unpatched QNAP devices.

This gives Hackers complete access to the device. Everything the Qnap has access too and all data it has.

What can you do?

  • Run updates on your QNAP once a week and stay up to date.
  • do not run your QNAP on the internet, if you need to access it use a VPN
  • keep features to a minimum, Less features = less attack surface