Vulnerabilities in QNAP Fixed
The Company Patched the Bug that Lets Attackers Run Malicious Commands Remotely.
Multiple patches were released by the Taiwan-based network-attached storage (NAS).
In this way, they addressed the vulnerabilities that could enable attackers to inject and execute malicious code and commands remotely on vulnerable NAS devices.
What Vulnerabilities Were Fixed?
Three high-severity stored cross-site scripting (XSS) vulnerabilities (listed as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355) that impact devices running unpatched Photo Station software were addressed today by QNAP (releases before 5.4.10, 5.7.13, or 6.0.18).
A stored XSS Image2PDF issue was also addressed by QNAP, which affected machines running software versions prior to Image2PDF 2.1.5.
Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.
A command injection flaw (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices using the QVR IP video surveillance software was also fixed, allowing attackers to run arbitrary instructions.
Successful attacks using the CVE-2021-34352 issue might result in NAS devices being completely taken over.
Three more QVR vulnerabilities were also addressed on Monday, according to a security warning issued by QNAP and categorized as critical severity.
What Is an XSS Attack?
Cross-Site Scripting, commonly known as an XSS attack, is a type of injection that allows malicious scripts to be injected into otherwise trustworthy and safe websites. XSS attacks occur when an attacker utilizes an online application to deliver malicious code to a specific end-user, generally in the form of a browser-side script. Unfortunately, the flaws that allow these attacks to succeed are common, and they may occur everywhere an online program utilizes user input in its output without verifying or encrypting it.
An attacker can use XSS to deliver a malicious script to an unwitting user, and the user’s browser has no means of knowing that the script isn’t to be trusted, thus it will run it.
Because the malicious script believes the script originated from a trustworthy source, it may now access any cookies, session tokens, or other sensitive data that the browser has already stored, or even change the text of an HTML page.
Secure Your NAS Device
According to BleepingComputer, customers should update as soon as possible both apps to the latest available releases as soon as possible.
To update Photo Station or Image2PDF to the latest version on your NAS, you need to go through the following procedure:
- Log into QTS or QuTS hero as administrator.
- Open the App Center, and then click. A search box appears.
- Type “Photo Station” or “Image2PDF” and then press ENTER. The application appears in the search results.
- Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
- Click OK. The application is updated.
To update the QVR surveillance software, follow these steps:
- Log on to QVR as administrator.
- Go to Control Panel> System Settings > Firmware Update.
- Under Live Update, click Check for Update. QVR downloads and installs the latest available update.
Back in September last year, QNAP warned regarding a surge in ransomware attacks encrypting files on publicly exposed NAS storage devices.