FreshRSS

🔒
❌ À propos de FreshRSS
Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.
À partir d’avant-hierFlux principal

OpenSSL Vulnerabilities in Synology & QNAP NAS – What Is Going On?

9 septembre 2021 à 15:06

The Current Synology & QNAP NAS and OpenSSL Security Issues Explained

As many of you may have heard, in recent weeks there were two vulnerabilities identified in the OpenSSL encryption platform, a popular SSL option for many sites and servers, that provided an opening for particularly industrious interlopers to access a site via a weakness in the platform. Although not a service that is developed by Synology or QNAP NAS, it is used in several smaller areas/applications in their respective DSM and QTS software platforms. This is not uncommon for a brand to use a third-party provider and OpenSSL is one of the most popular open-source SSL platforms in the world. This vulnerability in OpenSSL was identified in late August and although alot has happened in that time, though the vulnerability is beginning to be resolved, it is still not fully resolved on the Synology or QNAP NAS affected software and services. So, today I wanted to go through what an SSL is, what OpenSSL is, the nature of the vulnerabilities, what has been resolved, what hasn’t and ultimately explain where things are right now. Let’s get started!

What is an SSL certificate?

You know when you browse the internet and there is that little padlock next to the www.website bit? That symbol indicates that communication between your web browser and the website/server you are communicating with is encrypted. This padlock identifies the SSL certificate, or Secure Sockets Layer and in recent years it has become heavily encouraged that any website you visit has a valid and secure SSL in place (with google warning you if you go to an ‘unsecure’ site and openly recommending SSL engaged sites higher on page 1 of Google. If you are choosing to access your NAS via the internet, then then it is recommended (and set as a default on the NAS platforms in many ways) to access your server via an SSL equipped connection, as this adds a valuable security protocol and creates an encrypted link between a web accessed server and a web browser.

What is OpenSSL?

OpenSSL is a open-source encryption tool/library – released in 1998 and REGULARLY updated, it is regularly used by both Synology and QNAP in a number of their software and services that feature a remote access component. It is not just them and many, MANY others use OpenSSL in PARTS/ALL of the architecture of their remote connections for encrypted data transfers. The use of OpenSSL is by no means a negative mark on any brand, as it has been developed over an exceedingly long time and is regularly updated.

What was the Vulnerability with OpenSSL?

In August, two vulnerabilities in the OpenSSL platform were identified and OpenSSL themselves were contacted immediately. The “CVE-2021-3711” and “CVE-2021-3712” security holes were in the as-then-latest release of OpenSSL and in their own security updates and advisory, were listed as Moderate and Severe in importance. Likewise, OpenSSL (among others no doubt) contacted Synology and QNAP to highlight this vulnerability and each brand added entries into their security advisory and posted on their own platforms about this, adding that they were working on a resolution (almost certainly to be based on the resolution formed and executed by OpenSSL themselves). The two vulnerabilities were still remarkably small and required a rigid-set scenario and knowledge in order to be in any way usable. However, they did open the door to the following negative actions and allowing attackers to:

  • Carry out DoS attacks on the server
  • Execute malicious code into the server
  • Gain remote access to the Server through a buffer overflow.

In the case of Network Attached Storage (NAS) from the likes of Synology and QNAP, it was highlighted very early on that it could only effect NAS systems with internet connectivity. On August 24th 2021, OpenSSL was able to resolve these vulnerabilities, closing the matter and issuing a patched update to OpenSSL that removed them both. However, at the time of writing, both vulnerabilities are listed as ongoing on both the Synology and QNAP Security Advisory page (where they highlight any/all security issues on their platforms that have been resolved/worked on).

What Is Synology NAS Doing About the OpenSSL Vulnerability?

Both Synology and QNAP have been updating their users on the resolution of these OpenSSL vulnerabilities, though both brands have yet to implement a full fix at this time for all vulnerabilities across their software platforms. Given that both brands use a unique/modified version of Linux to create their software and services, a simple application of the OpenSSL fix issued on the 24th August is likely incredibly difficult and modification, application and testing of any resolution needs to be conducted by both internally before a widespread software update is issued. While Synology or QNAP does not provide an estimated timeline for these incoming updates being fully concluded, last month Synology told BleepingComputer that it generally patches affected software within 90 days after publishing advisories. Fairplay to Synology publishing information on this immediately.

Product Severity Fixed Release Availability
DSM 7.0 Important Ongoing
DSM 6.2 Moderate Ongoing
DSM UC Moderate Ongoing
SkyNAS Moderate Pending
VS960HD Moderate Pending
SRM 1.2 Moderate Ongoing
VPN Plus Server Important Ongoing
VPN Server Moderate Ongoing

Indeed, below is a statement issued online from Synology to be.hardware.info responding these vulnerabilities and why the brand is handling them internally this way (translated from German to English):

Synology-SA-21:24 OpenSSL includes two vulnerabilities, CVE-2021-3711 and CVE-2021-3712.

CVE-2021-3711 does not affect most Synology devices as they do not use SM2 encryption by default. Although our NAS devices are currently sold with an affected version of OpenSSL, there can only be said to be a security risk if administrators use third-party software with SM2 encryption.

CVE-2021-3712 addresses specific functionality related to the creation of x509 certificates (used for security protocols such as https) that may cause denial-of-service on the affected device. It is difficult to abuse this as it requires administrator privileges.

Furthermore, the manufacturer emphasizes that the priority of updates is based on the frequency of the affected configurations, the complexity of exploiting the vulnerability and the extent of the potential damage that can be caused. In its own words, it should be sufficient to remedy the aforementioned risks within the usual 90-day period.

What Is QNAP NAS Doing About the OpenSSL Vulnerability?

QNAP stated on their own security advisory last month the following two potential consequences of these vulnerabilities if pushed to their fullest extent:

An out-of-bounds read vulnerability in OpenSSL has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, the vulnerability allows remote attackers to disclose memory data or execute a denial-of-service (DoS) attack. Additionally, an additional out-of-bounds vulnerability in OpenSSL has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync). If exploited, the vulnerabilities allow remote attackers to execute arbitrary code with the permissions of the user running the application.. QNAP is thoroughly investigating the case. We will release security updates and provide further information as soon as possible.

How To Stay Informed on Synology & QNAP NAS Vulnerabilities?

At NASCompare we provide a regularly updated list of current vulnerabilities and security issues as they are published on the respective QNAP and Synology Security advisors.

QNAP NAS Current Vulnerabilities and Exploits [OPEN 🔗]

Command Injection Vulnerabilities in QVR Mon, 27 Sep Link
Command Injection Vulnerabilities in QVR Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud Fri, 10 Sep Link
Stack Buffer Overflow Vulnerabilities in QTS, QuTS hero, and QuTScloud Stack Buffer Overflow in QUSBCam2 Fri, 10 Sep Link
Stack Buffer Overflow in QUSBCam2 Stack-Based Buffer Overflow Vulnerabilities in NVR Storage Expansion Fri, 10 Sep Link
Stack-Based Buffer Overflow Vulnerabilities in NVR Storage Expansion Insufficiently Protected Credentials in QSW-M2116P-2T2S and QuNetSwitch Fri, 10 Sep Link
Insufficiently Protected Credentials in QSW-M2116P-2T2S and QuNetSwitch Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud Fri, 10 Sep Link
Insufficient HTTP Security Headers in QTS, QuTS hero, and QuTScloud Out-of-Bounds Read in OpenSSL Mon, 30 Aug Link
Out-of-Bounds Read in OpenSSL Out-of-Bounds Vulnerabilities in OpenSSL Mon, 30 Aug Link
Out-of-Bounds Vulnerabilities in OpenSSL Improper Access Control in Legacy HBS 3 (Hybrid Backup Sync) Tue, 06 Jul Link
Improper Access Control in Legacy HBS 3 (Hybrid Backup Sync) Multiple Command Injection Vulnerabilities in QTS Thu, 01 Jul Link
Multiple Command Injection Vulnerabilities in QTS Stored XSS in QuLog Center Thu, 01 Jul Link
Stored XSS in QuLog Center Stored XSS in Qcenter Thu, 01 Jul +0800 XSS in QTS Thu, 01 Jul Link
XSS in QTS DNSpooq Vulnerabilities in QTS Thu, 01 Jul Link
DNSpooq Vulnerabilities in QTS Command Injection in QTS Thu, 24 Jun Link
Command Injection in QTS Insecure Storage of Sensitive Information in myQNAPcloud Link Wed, 16 Jun Link
Insecure Storage of Sensitive Information in myQNAPcloud Link SMB Out-of-Bounds Read in QTS Wed, 16 Jun Link
SMB Out-of-Bounds Read in QTS Out-of-Bounds Read in QSS Fri, 11 Jun Link
Out-of-Bounds Read in QSS Inclusion of Sensitive Information in QSS Fri, 11 Jun Link
Inclusion of Sensitive Information in QSS Improper Access Control in Helpdesk Fri, 11 Jun Link
Improper Access Control in Helpdesk

 

SYNOLOGY NAS Current Vulnerabilities and Exploits [OPEN 🔗]

Synology-SA-21:26 Photo Station Important Resolved 2021-09-07 10:03:01 UTC+8
Synology-SA-21:25 DSM Moderate Ongoing 2021-09-01 14:04:01 UTC+8
Synology-SA-21:24 OpenSSL Important Ongoing 2021-09-14 11:57:06 UTC+8
Synology-SA-21:23 ISC BIND Not affected Resolved 2021-08-20 10:43:23 UTC+8
Synology-SA-21:22 DSM Important Ongoing 2021-09-01 14:08:26 UTC+8
Synology-SA-21:21 Audio Station Important Resolved 2021-06-16 16:05:29 UTC+8
Synology-SA-21:20 FragAttacks Moderate Ongoing 2021-05-12 18:26:08 UTC+8
Synology-SA-21:19 SRM Important Resolved 2021-05-11 14:23:32 UTC+8
Synology-SA-21:18 Hyper Backup Moderate Resolved 2021-05-04 13:37:52 UTC+8
Synology-SA-21:17 Samba Moderate Ongoing 2021-05-06 11:28:17 UTC+8
Synology-SA-21:16 ISC BIND Moderate Ongoing 2021-05-03 10:34:51 UTC+8
Synology-SA-21:15 Antivirus Essential Important Resolved 2021-04-28 08:12:48 UTC+8
Synology-SA-21:14 OpenSSL Not affected Resolved 2021-03-29 08:56:36 UTC+8
Synology-SA-21:13 Samba AD DC Important Resolved 2021-07-08 17:14:55 UTC+8
Synology-SA-21:12 Synology Calendar Moderate Resolved 2021-06-19 10:53:03 UTC+8
Synology-SA-21:11 Download Station Important Resolved 2021-06-19 11:15:17 UTC+8
Synology-SA-21:10 Media Server Moderate Resolved 2021-06-19 10:55:28 UTC+8
Synology-SA-21:09 WebDAV Server Moderate Resolved 2021-02-23 11:18:19 UTC+8
Synology-SA-21:08 Docker Low Resolved 2021-06-13 11:21:28 UTC+8
Synology-SA-21:07 Synology Directory Server Moderate Resolved 2021-02-23 11:17:51 UTC+8

 

ASUSTOR NAS Vulnerabilities and Exploits [OPEN 🔗]


05 24 2021 Security advisory for FragAttack
03 29 2021 ASUS ASMB8-iKVM and ASMB9-iKVM Firmware Security Update for ASUS Server Products
03 24 2021 ASUS SMM Privilege Security Update (CVE-2021-26943) for ASUS SKL Notebook PCs
03 09 2021 Security advisory for DNSpooq
07 10 2020 ASUS ScreenPad 2 Upgrade Tool Security Update (CVE-2020-15009) for ASUS PCs with ScreenPad 1.0 (UX450FDX, UX550GDX and UX550GEX)
04 14 2020 ASUS Update Regarding Mitigation for Known Intel CPU Vulnerabilities
04 09 2020 ASUS Device Activation Security Update (CVE-2020-10649) for ASUS Notebook PCs
03 18 2020 Security Advisory for CVE-2019-15126 (Kr00k)
03 09 2020 Security Notice for CVE-2018-18287
02 14 2020 ROG Gaming Center Package Security Update
11 26 2019 New firmware update for wireless router RT-AC1750_B1 RT-AC1900 RT-AC1900P RT-AC1900U RT-AC86U RT-AC2900 RT-AC3100 RT-AC3200 RT-AC51U RT-AC51U+ RT-AC52U B1 RT-AC66U RT-AC66U B1 RT-AC66U_WHITE RT-AC67U RT-AC68P RT-AC68R RT-AC68RF RT-AC68RW RT-AC68U RT-AC68U 2 Pack RT-AC68U_WHITE RT-AC68W RT-AC750 RT-AC87R RT-AC87U RT-AC87W RT-N66U RT-N66U_C1 RT-N14U
11 15 2019 Important information about ASUSWRT security:
10 21 2019 ATK Package Security Update (CVE-2019-19235) for ASUS Notebook PCs
06 14 2019 BIOS Update Announcement for ASUS Notebook PCs
05 16 2019 New firmware update for wireless router RT-AC1750_B1 RT-AC1900 RT-AC1900P RT-AC1900U RT-AC2900 RT-AC3100 RT-AC3200 RT-AC51U RT-AC5300 RT-AC56S RT-AC56U RT-AC66U RT-AC66U B1 RT-AC66U_WHITE RT-AC67U RT-AC68P RT-AC68R RT-AC68RF RT-AC68RW RT-AC68U RT-AC68U 2 Pack RT-AC68U_WHITE RT-AC68W RT-AC750 RT-AC86U RT-AC87R RT-AC87U RT-AC87W RT-AC88U RT-N18U RT-N66U RT-N66U_C1
05 02 2019 Latest software announcement for ZenFone devices
08 14 2018 Security advisory for OpenVPN server
08 07 2018 Latest software announcement for ZenFone ZenPad devices
06 08 2018 Security advisory for VPNFilter malware
04 03 2018 Security Vulnerability Notice (CVE-2018-5999, CVE-2018-6000) for ASUS routers
10 31 2017 Update on security advisory for the vulnerability of WPA2 protocol
10 18 2017 Security advisory for the vulnerabilities of WPA2 protocol
2021 & 8711;
2020 & 8711;
2019 & 8711;
2018 & 8711;
2017 & 8711;
2016 & 8711;

 

And Lastly, please, please, please:

 

 

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do use links to Amazon Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.  

QNAP NAS QTS 5.0 Beta Now Available

4 juillet 2021 à 23:00

Beta Now Available for QNAP QTS 5.0 Released

Most people who own a NAS drive, for business or for pleasure, will realise very early on that the software that these systems arrive with is more than just simple file/folder storage access. In particular, the QNAP QTS system software and services is one that has evolved a great deal over the years and has now found a good balance between providing a user-friendly experience and providing a good degree of system/storage information when needed. Add to this that QNAP has generally been the first to market when it comes to innovation in the NAS industry (sometimes a little sooner than some might like!) and this has led to them introducing a number of key applications in the past before their competitors in NAS (HybridMount, vJBOD, Container Station, Linux Station and Multimedia Console to name a few) in their previous versions of QTS. At the same time that Synology now launching their new DSM 7 platform (after nearly 3 years in development), QNAP is now going to let users have a test and provide feedback on QTS 5.0. The Beta of QTS 5.0 is now available to download from QNAP HERE and along with numerous background improvements, there are several new applications, new services (that include AI-assisted analysis improvements with the google TPU upgrades) and improved SSD cache handling, security tightening measures. The Beta Test period ends at 23:59 (UTC+8) on July 31, 2021.

What QNAP have said about the QTS 5.0 Beta – QNAP released the QTS 5.0 Beta, the latest version of the NAS operating system. QTS 5.0 has upgraded with Linux Kernel 5.10, improved security, WireGuard VPN support, and enhanced NVMe SSD cache performance. The DA Drive Analyzer, powered by a cloud AI engine, helps predict the expected life of drives. The new QuFTP app helps fulfil personal and business file transfer needs. QNAP now welcomes users to join the Beta Program and provide their feedback so QNAP can further improve QTS and provide a more comprehensive and secure user experience. QTS 5.0 builds upon its solid foundations with an updated system kernel and optimized user interface – followed by enhanced security measures to protect your digital assets, improved system performance to streamline your applications, and integrated AI machine learning to strengthen image recognition and drive failure prediction. Providing cutting-edge features to meet the challenge of rapid technological changes, QTS 5.0 brings you data security, power, and intelligence.

Increase your security level

QTS 5.0 supports TLS 1.3 to improve security and performance, with automatic updates of QTS and apps to ensure your NAS operates under optimal conditions. You can also use SSH keys for authentication to secure access to your NAS, preventing password breaches or similar potential attacks. Previous revisions, TLS 1.2, initializes the connection with a dialogue to agree on a certain encryption type. Once the client and server agree, they begin sharing encryption keys. The reason for TLS 1.3 being faster is because this communication never takes place. Instead, the initial connection is information from the client saying what it plans to access along with supported cypher, key agreements and other information. The server responds with the chosen cypher suite and also a key share. Since the server provides the key right away, the client cannot demand the use of older forms of encryption, hence making the connection more secure. Technically, the client sends all the necessary information to establish a secure connection in the initial ‘Hello message’. It even calculates multiple pre-shared keys based on offered cypher suites. Once the server receives the initial ‘Hello message’, it provides a key to the client based on the chosen cypher suite.

Predict drive failure and minimize downtime with the help of AI

Now you have an exciting solution that can protect you from drive failure and data loss. The DA Drive Analyzer – developed in partnership with QNAP and ULINK Technology – is an AI engine that predicts the expected life of drives, allowing you to take preemptive steps to prevent data loss from predicted drive failure.

Check both the life prediction score and drive health status with a user-friendly interface.

Check the status of all drives in your NAS and expansion units. (TR series expansion units are not supported)

Check each drive’s status on Drive Life Prediction Score. The lower the score, the lower the drive’s health.

Check which day DA Drive Analyzer alerts you on the Alert History tab.

Supports WireGuard VPN for secured internet connection

Your internet and public Wi-Fi connection may put your personal data and privacy at risk. VPN (Virtual Private Network) provides a safe and recommended way to protect your online activity while browsing the internet or remotely accessing your NAS. The new QVPN 2.0 (coming soon!) integrates the popular, lightweight, and reliable WireGuard VPN, providing you with an easy-to-use interface for setting up a secure connection – an especially great tool for home and remote working.

Boosted NVMe SSD cache performance

The new kernel improves PCIe performance, which enables QTS 5.0 to enhance NVMe SSD performance and utilization. When cache acceleration is activated, SSD storage can be utilized more efficiently while also offloading memory resources. It maintains high performance even when multiple concurrent users access the same shared folders, and transferring large-size files via SMB/NFS becomes faster.

QuFTP fulfills personal and business file transfer needs

QuFTP consolidates all FTP related activities into a single app with a user-friendly interface and permission settings for efficiently and securely transferring large amounts of data.

FTP Server

The encrypted SSL/TLS connection provides higher security and protects your FTP transfers. QoS bandwidth allows for setting FTP transfer limitations or speed limitations for users and groups. QuFTP’s rule engine allows more detailed configuration, including access hours, limiting access to only the FTP root folder, adding watermarks to images and videos, and more.

FTP Client

Before activating the FTP client, make sure that your firewall allows connections to the FTP server. You can also create remote mounts of shared folders to make them accessible on the NAS.

The FULL List of Changes in QTS 5.0 Compared to QTS 4.5

Along with the bigger changes listed above, there are numerous other smaller changes in QNAP QTS 5.0 compared with QTS 4.5 for NAS that are worth noting. Some are improvements in compatibility within certain applications and are more noticeable changes in the default lineup of applications are services at launch. Here are the rest of the change notes from QNAP on this new NAS software:

  • QTS now supports Desktop Notice Board, which provides notifications for various events and announcements.
  • QTS now supports TLS 1.3 for HTTPS secure connection.
  • Users can now import custom root certificates to certify the SSL certificate of a server that the NAS needs to access.
  • Updated OpenSSL to 1.1.1.
  • Improved SSD cache design to enhance storage performance. Existing SSD cache will be automatically converted to the new design after QTS update to 5.0.0.
  • File Station now supports displaying thumbnail previews for PDF files.
  • Network & Virtual Switch now supports the DDNS service “DDNS Now”.
  • Added the option to enable or disable strong cipher suites.
  • Added an option to choose whether to redirect users to the NAS login screen when connecting to the NAS IP address without the system port. To enhance device security, this option is disabled by default.
  • To enhance device security, UPnP Discovery Service is now disabled by default.
  • Added support for Content Security Policy HTTP header.
  • QTS now enables the default “admin” account and resets its password when users press the Reset button on the NAS for three seconds. Nevertheless, to ensure device security, we recommend disabling the “admin” account and using a new administrator account after you finish resetting the system.
  • Users in the administrator group now have read/write access permissions for default shared folders, except the “homes” shared folder.
  • Users can now manually specify the time interval and the maximum number of failed login attempts in Control Panel to further enhance NAS security.
  • Qsync Central is not pre-installed in QTS. Users can install this application in the App Center
  • Improved the user interface of Advanced Search in QuLog Center.
  • Added support for displaying the total connection time of online users.
  • QuLog Center now displays computer names and accessed resources in System Access Log and Online Users.
  • To ensure device security, QTS now displays a message to remind users to disable the default “admin” account and to create another administrator account.
  • QTS now displays a message to remind users to enable 2-step verification to ensure account security.
  • QTS Smart Installation Guide now requires users to create a new administrator account. The default “admin” account is disabled after initialization.
  • QTS no longer pre-installs SSD Profiling Tool by default. Users can install this tool in the App Center.
  • To ensure system security, QTS now automatically disables applications that are not updated and that do not meet the minimum version requirements.
  • Removed support for USB printers.
  • Qboost is no longer a built-in application of QTS. Users can choose to install Qboost in App Center.
  • To ensure system security, QTS now automatically disables applications that are not updated and that do not meet the minimum version requirements.
  • Starting from QTS 5.0.0, QVR Pro Client is no longer supported. You can now install QVR Smart Client as the client software for your QVR Pro or QVR Elite surveillance servers.
  • Users need to manually remove and then re-create SSD cache after updating QTS to 5.0.0 beta.
  • QTS 5.0.0 beta temporarily does not support certain file systems on external storage devices. To work around this issue, users can use HBS3 to back up files to external storage devices. Note that this workaround may require more CPU resources and increase backup task duration. We will soon fix this issue in an upcoming release.
  • QTS 5.0.0 beta temporarily does not support the following applications, utilities, or services:

* vSphere Web Client Plug-in
* QNAP SMI-S Provider
* QNAP Snapshot Agent
* KoiMeeter
* Marvell 88SE1475 driver
* Intel QuickAssist Technology (QAT) Driver
* Remote Direct Memory Access (RDMA) Driver
* NVIDIA GPU Driver
* Advanced Network Driver
* Other miscellaneous third-party applications

Which QNAP NAS Drives Support the QTS 5 Beta?

The full range of QNAP NAS systems that support the QTS 5.0 Beta is largely limited to systems that have been released in the 2019-2021 release period, however, they are not limited to the high-end releases, with several ARM-based and Entry-level NAS systems being included. Also, remember that this is a whole system software upgrade and it’s not entirely clear how easy/possible it is to downgrade your system to QTS 4.5 afterwards. I am in the process of deploying this QTS 5.0 beta over on YouTube and comparing it with QTS 4.5 to show you guys how they have changed things up. Stay tuned for that, otherwise, if you want to go ahead and test the QTS 5.0 beta on your QNAP NAS today, you can use the link HERE and check below to make sure you are on the compatibility list.

QTS 5.0.0 Beta Supported NAS
TS-328, TS-428, TS-230, D2 Rev-B
TS-231+, TS-431+, TS-131P, TS-231P, TS-431P, TS-131K, TS-231K, TS431K, D2, D4, D4 Rev-B
TS-251B
TS-251D, TS-451D, TS-451D2
TS-253D, TS-453D, TS-653D, TS-453Dmini, HS-453DX, TBS-453DX,
TS-453Bmini, TS-253B, TS-453B, TS-653B, TS-453BT3, TS-253Be, TS453Be
TVS-472XT, TVS-672XT, TVS-872XT
TVS-872X, TVS-672X
TVS-672N, TVS-872N
TS-473, TS-673, TS-873
TS-473A, TS-673A, TS-873A, TS-h973AX
TS-h2490FU

 


Articles Get Updated Regularly - Get an alert every time something gets added to this page!


This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR NAS DEALS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.   This description contains links to Amazon. These links will take you to some of the products mentioned in today’s video. As an Amazon Associate, I earn from qualifying purchases

WD My Book Live NAS – Remote Format Attack Reported

25 juin 2021 à 21:58

WD My Book NAS Devices Being Remotely Formatted

If you are reading this and you own a WD My Book or WD My Book Live Duo, then you might want to go check on it and maybe disconnect it from the internet for now. In the last 24+ hours, multiple users have reported that whilst trying to access their WD My Book NAS drive, they were barred entry with an ‘invalid password’ and mobile applications have ceased connectivity. Upon further investigation, they then find that their system has been completely formatted (ranging from directories, volumes and pools to in some cases everything) and all their data is now lost. This was originally raised over on the official WD Support blog here and not long after, multiple users at the same time have reported similar issues. Further examination of logs (once access to the system was possible) showed that remote access had been established to the system and a command to reset the system and storage be delivered. So what has happened? How did it happen and can the WD My Book Live data that people have lost be recovered?

How Did WD My Book Live NAS Drives Get Accessed Remotely

The WD My Book Live and My Book Live Duo are designed for access via the network and internet and were amoung some of WD’s first products for traditional NAS use, not just a HDD-on-the-internet, but have a GUI and dedicated CPU handling RAID, backups tasks and general system management. Remote access is conducted by accessing the NAS, through a firewall and via the official WD My Cloud Live servers (included with the cost of the device). However this remote access is what was used to push a command to the WD My Book Live system, executing the system reset with the following showing in the logs of the system )(from user Sunpeak on the WD Forums here)

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api

Since this was originally raised yesterday, lots of users have followed reporting the same, clearly showing this is an orchestrated attack of WD My Book Live systems, with the additional sad note that there has been no ransom.txt or other ransomware style communication left – meaning this has been done with the pure intention to destroy people’s data! Pretty lousy stuff! Since then this has gained considerably traction on multiple websites and the details on the National Vulnerability database (click below) has been updated serval times:

 

How Has Western Digital Responded to the WD My Book Live Attack

The response from WD on this NAS attack has been remarkably swift, considerably faster than I have personally seen from other brands suffering similar circumstances in previous years, with official instruction and widespread notification on their platforms in considerably less than a day. WD Have stated on their Security Advisory pages:

WDC Tracking Number: WDC-21008
Product Line: WD My Book Live and WD My Book Live Duo
Published: June 24, 2021

Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live and My Book Live Duo devices received its final firmware update in 2015. We understand that our customers’ data is very important. We are actively investigating the issue and will provide an updated advisory when we have more information.

Advisory Summary – At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device.
CVE Number:CVE-2018-18472

So, in short, WD believes this has been caused by the use of a remote command push to the WD My Book Live and WD My Book Duo Live NAS systems via an unpatched exploit on the system. They maintain that the issue is not caused from within their server-side, but are working on this right now to get to the bottom of it.

How Can A Vulnerability of the WD My Book Live Not Be Patching in a Firmware Update?

As previously mentioned, the WD My Book Live and My Book Live Duo were some of their earliest real NAS releases, as far back as 2010. Although these systems received numerous updates, the final update for this system was officially issued in 2015(see below)

Given the predicted life of hard drives, the lifespan of products and their broader commitment to customers, it is not unheard of that they would cease firmware updates on a product line after a given period of time (the same can be said of the majority of software-enabled hardware in our homes and business environment). However, this comes as little comfort to those data that has been deleted. Additionally, this is a vulnerability that was raised back in 2018 by ‘Wizcase’ and found on numerous ‘first generation’ NAS systems that were released in this period. At that time, WD responded to this officially with:

“The vulnerability report CVE-2018-18472 affects My Book Live devices originally introduced to the market between 2010 and 2012. These products have been discontinued since 2014 and are no longer covered under our device software support lifecycle. We encourage users who wish to continue operating these legacy products to configure their firewall to prevent remote access to these devices, and to take measures to ensure that only trusted devices on the local network have access to the device.”

Once again, there is a balance here that users need to keep in mind between reliance on the hardware purchased and the rigidity of a solution a considerable length of time since release, as well as the maintenance of backups in a robust data storage strategy. It will be interesting to see how WD respond to this situation as it unfolds.

Can The Lost Data on the WD My Book Live and My Book Live Duo Be Recovered?

As this has been a format conducted on the system as a whole, it makes the recovery of data on a Factory Reset/Wipred WD My Book Live very difficult! In previous cases of malware encryption or malicious data destruction, many users have taken advantage of the tremendously useful PhotoRec tool (previously featured in the QNAP Qlocker Recovery guides). PhotoRec is a file data recovery software designed to recover lost files including video, documents and archives from hard disks (as well as legacy storage media like CD-ROMs) and memory cards. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted. However, this is by no means full proof and does require a little more technical knowledge than many might have (with interfacing with the NAS in a software-accessible way being the first major hurdle). Here is an example of a PhotoRec recovery guide, but we are hoping quite soon for a more WD My Book Live specific guide with surface shortly.

Is My WD My Cloud or Regular WD My Book Direct Attach Storage Device Affected?

At this time there are no reports of this affecting the current generations of WD My Cloud, WD My Cloud Pro, WD My Cloud EX2 or WD My Cloud Sentinel Systems (which have far more recent firmware updates). Likewise, this will not affect WD My Book systems lack network/ethernet connectivity, as this lack both the means of communication and the software interface to inject the malicious command remotely.

 


Articles Get Updated Regularly - Get an alert every time something gets added to this page!


This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below

 

SEARCH IN THE BOX BELOW FOR NAS DEALS

Need Advice on Data Storage from an Expert?

We want to keep the free advice on NASCompares FREE for as long as we can. Since this service started back in Jan '18, We have helped hundreds of users every month solve their storage woes, but we can only continue to do this with your support. So please do choose to buy at Amazon US and Amazon UK on the articles when buying to provide advert revenue support or to donate/support the site below. Finally, for free advice about your setup, just leave a message in the comments below here at NASCompares.com and we will get back to you. Need Help? Where possible (and where appropriate) please provide as much information about your requirements, as then I can arrange the best answer and solution to your needs. Do not worry about your e-mail address being required, it will NOT be used in a mailing list and will NOT be used in any way other than to respond to your enquiry. [contact-form-7] Terms and Conditions Alternatively, why not ask me on the ASK NASCompares forum, by clicking the button below. This is a community hub that serves as a place that I can answer your question, chew the fat, share new release information and even get corrections posted. I will always get around to answering ALL queries, but as a one-man operation, I cannot promise speed! So by sharing your query in the ASK NASCompares section below, you can get a better range of solutions and suggestions, alongside my own.   This description contains links to Amazon. These links will take you to some of the products mentioned in today’s video. As an Amazon Associate, I earn from qualifying purchases

Vulnerabilities and Exploits on Synology & QNAP NAS – Stay Updated!

26 mai 2021 à 15:00

Be Regularly Updated on Security Concerns with Synology & QNAP NAS

Recently there has been a spotlight on some NAS brands and their security and protection from attacks by hackers and online intruders. In some cases, this has been down to holes being found in the system software or system protocol over time that, if left unpatched can lead to Ransomware like the QNAP QLocker of 2021, the Synology Synolocker of 2014. Typically, these can stem from many methods but ultimately revolve around hackers boarding the latest firmware and finding loopholes/backdoors within the system software each time it has an official update. This is not unusual and practically ALL the computer software-related services and hardware in your home/business environment go through this – most updates to the firmware in everything from your phone to your TV, router, console and more are specifically designed to close these newly found chinks in the armour. It is a constant game of cat and mouse, however, in almost all cases the vulnerability in software (that led to your system being penetrated) will be down to the fact your device has not been updated in firmware/software in a considerable length of time.

Why Do People Not Update Their QNAP or Synology NAS System Software Immediately?

Of course, updating the firmware on your NAS every single time a new system software version is released is not quite as simple as that. Sure, the actually ACT of updating is super easy and the NAS system will constantly remind you of updates in your system firmware or individual app software – but many still do not immediately action this update. This is by no means exclusive to NAS either, with many, MANY users choosing to ignore the windows update icon at the bottom right of the screen right now, or the recommended system update restart/remind option at the top right on a Mac. There are several reasons that people do not immediately update their firmware, such as:

  • The system is currently in use and there is no time right now to allow a restart, as well as having current projects/tabs/services operational
  • You once/twice experienced an update on a NAS (or really any device that has regular updates) that made the system unable to perform to the previous standard (software feature changed/removed), so you had to perform a complicated firmware roll-back/downgrade and it left you less keen on immediately firmware actions
  • It is a major firmware update that changes the system GUI and system options notable, so you do not wish to action a software update that will increase the learning curve
  • (less common but certainly happens) Your NAS system is part of a wider network of systems (part of a CMS) that either cannot or is not recommended to be individually updated without updating every other system at the same time

So, it is all fair and well for me to say ‘you should always update’, but the truth is that many have rather valid/understandable reasons for not actioning these straight away. Of course, the alternative would be for brands to automatically FORCE system updates through, or restrict an app/system able to connect with online services until the update is installed (as found with gaming services like Playstation Network and XBox Live) – but in a NAS, or even desktop/computer/phone-based systems these options would be INCREDIBLY UNPOPULAR! So, that is how we reached the current state of affairs between the NAS Brands, their system updates, individual app updates and how/when users choose to action them. So, how do we resolve this?

 

How to Remove QSnatch from your QNAP NAS Protecting Your Synology NAS from Ransomware
What is QNAP QLocker? How to Remove QLocker from your QNAP NAS

How Can You Stay On Top Of NAS Updates and Be Aware of Vulnerabilities on your NAS?

Many users might not be aware, but the majority of NAS brands (and indeed this extends to enterprise service providers like NetApp, cloud storage like Google Drive and large blob type storage like AWS and Azure) have an online portal that, known as the Security Advisory, that details the latest vulnerabilities, issues, faults and issues that are raised on their respective platforms. These are then available for public view (as they are submitted) and their effect, danger, current investigated status, date of the resolution and recommended action are then displayed. See Below:

Click to view slideshow.

 

These pages are almost certainly a legal requirement as part of their term of service and due diligence, not just a kind and wholesome gesture. However, it can be INCREDIBLY INTIMIDATING to read through them – even a 5-minute glance will make you question how on earth you have not been hacked yet! However, many of these vulnerabilities are exceptionally small and are built on exceptionally outdated firmware (perhaps 2-3 years overdue), require exceptionally weak security settings in place, DMZ network settings or simply are specific to a particular tool being used in a certain way. Nevertheless, many users will see these listings of issues and go one of two ways. One, they IMMEDIATELY UPDATE EVERYTHING and regularly update as soon as updates appear (regardless of the reasons against it listed earlier). Two, they look at the vulnerabilities, scroll through, see that none of them appear to be applicable to their own network hardware/storage setup and then continue to not-update until something more specific to their setup appears. There are pros and cons to either action of course, but better to have all the facts and listed vulnerabilities at your disposal than to proceed on just hunches and guesses!

How to Automatically Get Updated When Synology and QNAP NAS Vulnerabilities are Reported

Pretty much ALL of the brands in NAS, Data Storage and Cloud services have these security advisory pages, but the idea of checking these pages manually (i.e. bookmark etc) every day, week or month is too much of a hassle for many. On the other hand, they all arrive with an RSS feed link that allows users to subscribe to updates BUT many users are not even aware of how to apply an RSS feed (it’s a complex XML feed of text that needs to be injected into an appropriate RSS feed client/agent – so yeah, hardly noob friendly). So, in order to make this 1000x easier, I have (and by me, I mean Eddie the Web Guy spent time on it and I made this article!) made this page that will be constantly updated with the latest vulnerabilities reported on the popular NAS brands and storage-related manufacturers. It is still being built (so more brands are being added) but it will allow you to just chuck your email address below (will not be used for profit or spamming etc) and then you will get an alter EVERY TIME a new security vulnerability is updated by the brands (this is automated, so it will appear here as soon as it appears on the respective security advisory page). Additionally, there will be links back to the brand/manufacturer site so you can find out more about individual exploits and vulnerabilities, how they work, what they do and (most importantly) give you a better idea of whether you should update your NAS/Storage system or not. I hope you find it helpful and if you have any recommendations or idea of what we should add to this page/service to make it even better – let us know in the comments or directing here – https://nascompares.com/contact-us

Sign Up Below to Get Updates as New Vulnerabilities Are Reported


Articles Get Updated Regularly - Get an alert every time something gets added to this page!


 

QNAP NAS Current Vulnerabilities and Exploits [OPEN 🔗]

Command Injection in QTS Thu, 24 Jun Link
Command Injection in QTS Insecure Storage of Sensitive Information in myQNAPcloud Link Wed, 16 Jun Link
Insecure Storage of Sensitive Information in myQNAPcloud Link SMB Out-of-Bounds Read in QTS Wed, 16 Jun Link
SMB Out-of-Bounds Read in QTS Out-of-Bounds Read in QSS Fri, 11 Jun Link
Out-of-Bounds Read in QSS Inclusion of Sensitive Information in QSS Fri, 11 Jun Link
Inclusion of Sensitive Information in QSS Improper Access Control in Helpdesk Fri, 11 Jun Link
Improper Access Control in Helpdesk Post-Authentication Reflected XSS in Qcenter Thu, 03 Jun Link
Post-Authentication Reflected XSS in Qcenter Command Injection in Video Station Thu, 03 Jun Link
Command Injection in Video Station DOM-Based XSS in QTS Thu, 03 Jun Link
DOM-Based XSS in QTS Relative Path Traversal in QTS Fri, 21 May Link
Relative Path Traversal in QTS Qlocker Ransomware Fri, 21 May Link
Qlocker Ransomware in Roon Server Fri, 14 May Link
in Roon Server eCh0raix Ransomware Fri, 14 May Link
eCh0raix Ransomware Command Injection in Malware Remover Thu, 13 May Link
Command Injection in Malware Remover Improper Access Control in Music Station Thu, 06 May Link
Improper Access Control in Music Station AgeLocker Ransomware Thu, 29 Apr Link
AgeLocker Ransomware Improper Authorization in HBS 3 (Hybrid Backup Sync) Thu, 22 Apr Link
Improper Authorization in HBS 3 (Hybrid Backup Sync) SQL Injection in Multimedia Console and the Fri, 16 Apr Link
SQL Injection in Multimedia Console and the Command Injection in QTS Fri, 16 Apr Link
Command Injection in QTS Cross-site Scripting in File Station Fri, 16 Apr Link
Cross-site Scripting in File Station

 

SYNOLOGY NAS Current Vulnerabilities and Exploits [OPEN 🔗]

Synology-SA-21:21 Audio Station Important Resolved 2021-06-16 16:05:29 UTC+8
Synology-SA-21:20 FragAttacks Moderate Ongoing 2021-05-12 18:26:08 UTC+8
Synology-SA-21:19 SRM Important Resolved 2021-05-11 14:23:32 UTC+8
Synology-SA-21:18 Hyper Backup Moderate Resolved 2021-05-04 13:37:52 UTC+8
Synology-SA-21:17 Samba Moderate Ongoing 2021-05-06 11:28:17 UTC+8
Synology-SA-21:16 ISC BIND Moderate Ongoing 2021-05-03 10:34:51 UTC+8
Synology-SA-21:15 Antivirus Essential Important Resolved 2021-04-28 08:12:48 UTC+8
Synology-SA-21:14 OpenSSL Not affected Resolved 2021-03-29 08:56:36 UTC+8
Synology-SA-21:13 Samba AD DC Important Ongoing 2021-05-13 17:31:08 UTC+8
Synology-SA-21:12 Synology Calendar Moderate Resolved 2021-06-19 10:53:03 UTC+8
Synology-SA-21:11 Download Station Important Resolved 2021-06-19 11:15:17 UTC+8
Synology-SA-21:10 Media Server Moderate Resolved 2021-06-19 10:55:28 UTC+8
Synology-SA-21:09 WebDAV Server Moderate Resolved 2021-02-23 11:18:19 UTC+8
Synology-SA-21:08 Docker Low Resolved 2021-06-13 11:21:28 UTC+8
Synology-SA-21:07 Synology Directory Server Moderate Resolved 2021-02-23 11:17:51 UTC+8
Synology-SA-21:06 CardDAV Server Important Resolved 2021-02-23 11:17:26 UTC+8
Synology-SA-21:05 Audio Station Important Resolved 2021-02-23 09:52:31 UTC+8
Synology-SA-21:04 Video Station Moderate Resolved 2021-06-10 16:25:07 UTC+8
Synology-SA-21:03 DSM Important Pending 2021-06-11 09:45:46 UTC+8
Synology-SA-21:02 Sudo Low Ongoing 2021-06-02 17:00:07 UTC+8

 

ASUSTOR NAS Vulnerabilities and Exploits [OPEN 🔗]


05 24 2021 Security advisory for FragAttack
03 29 2021 ASUS ASMB8-iKVM and ASMB9-iKVM Firmware Security Update for ASUS Server Products
03 24 2021 ASUS SMM Privilege Security Update (CVE-2021-26943) for ASUS SKL Notebook PCs
03 09 2021 Security advisory for DNSpooq
07 10 2020 ASUS ScreenPad 2 Upgrade Tool Security Update (CVE-2020-15009) for ASUS PCs with ScreenPad 1.0 (UX450FDX, UX550GDX and UX550GEX)
04 14 2020 ASUS Update Regarding Mitigation for Known Intel CPU Vulnerabilities
04 09 2020 ASUS Device Activation Security Update (CVE-2020-10649) for ASUS Notebook PCs
03 18 2020 Security Advisory for CVE-2019-15126 (Kr00k)
03 09 2020 Security Notice for CVE-2018-18287
02 14 2020 ROG Gaming Center Package Security Update
11 26 2019 New firmware update for wireless router RT-AC1750_B1 RT-AC1900 RT-AC1900P RT-AC1900U RT-AC86U RT-AC2900 RT-AC3100 RT-AC3200 RT-AC51U RT-AC51U+ RT-AC52U B1 RT-AC66U RT-AC66U B1 RT-AC66U_WHITE RT-AC67U RT-AC68P RT-AC68R RT-AC68RF RT-AC68RW RT-AC68U RT-AC68U 2 Pack RT-AC68U_WHITE RT-AC68W RT-AC750 RT-AC87R RT-AC87U RT-AC87W RT-N66U RT-N66U_C1 RT-N14U
11 15 2019 Important information about ASUSWRT security:
10 21 2019 ATK Package Security Update (CVE-2019-19235) for ASUS Notebook PCs
06 14 2019 BIOS Update Announcement for ASUS Notebook PCs
05 16 2019 New firmware update for wireless router RT-AC1750_B1 RT-AC1900 RT-AC1900P RT-AC1900U RT-AC2900 RT-AC3100 RT-AC3200 RT-AC51U RT-AC5300 RT-AC56S RT-AC56U RT-AC66U RT-AC66U B1 RT-AC66U_WHITE RT-AC67U RT-AC68P RT-AC68R RT-AC68RF RT-AC68RW RT-AC68U RT-AC68U 2 Pack RT-AC68U_WHITE RT-AC68W RT-AC750 RT-AC86U RT-AC87R RT-AC87U RT-AC87W RT-AC88U RT-N18U RT-N66U RT-N66U_C1
05 02 2019 Latest software announcement for ZenFone devices
08 14 2018 Security advisory for OpenVPN server
08 07 2018 Latest software announcement for ZenFone ZenPad devices
06 08 2018 Security advisory for VPNFilter malware
04 03 2018 Security Vulnerability Notice (CVE-2018-5999, CVE-2018-6000) for ASUS routers
10 31 2017 Update on security advisory for the vulnerability of WPA2 protocol
10 18 2017 Security advisory for the vulnerabilities of WPA2 protocol
2021 & 8711;
2020 & 8711;
2019 & 8711;
2018 & 8711;
2017 & 8711;
2016 & 8711;

 

Work In Progress – More Security Advisory Updates and Reports Coming Soon for Other Brands

 

 

❌