❌ À propos de FreshRSS
Il y a de nouveaux articles disponibles, cliquez pour rafraîchir la page.
À partir d’avant-hierFlux principal

Vulnerabilities and Exploits on Synology & QNAP NAS – Stay Updated!

26 mai 2021 à 15:00

Be Regularly Updated on Security Concerns with Synology & QNAP NAS

Recently there has been a spotlight on some NAS brands and their security and protection from attacks by hackers and online intruders. In some cases, this has been down to holes being found in the system software or system protocol over time that, if left unpatched can lead to Ransomware like the QNAP QLocker of 2021, the Synology Synolocker of 2014. Typically, these can stem from many methods but ultimately revolve around hackers boarding the latest firmware and finding loopholes/backdoors within the system software each time it has an official update. This is not unusual and practically ALL the computer software-related services and hardware in your home/business environment go through this – most updates to the firmware in everything from your phone to your TV, router, console and more are specifically designed to close these newly found chinks in the armour. It is a constant game of cat and mouse, however, in almost all cases the vulnerability in software (that led to your system being penetrated) will be down to the fact your device has not been updated in firmware/software in a considerable length of time.

Why Do People Not Update Their QNAP or Synology NAS System Software Immediately?

Of course, updating the firmware on your NAS every single time a new system software version is released is not quite as simple as that. Sure, the actually ACT of updating is super easy and the NAS system will constantly remind you of updates in your system firmware or individual app software – but many still do not immediately action this update. This is by no means exclusive to NAS either, with many, MANY users choosing to ignore the windows update icon at the bottom right of the screen right now, or the recommended system update restart/remind option at the top right on a Mac. There are several reasons that people do not immediately update their firmware, such as:

  • The system is currently in use and there is no time right now to allow a restart, as well as having current projects/tabs/services operational
  • You once/twice experienced an update on a NAS (or really any device that has regular updates) that made the system unable to perform to the previous standard (software feature changed/removed), so you had to perform a complicated firmware roll-back/downgrade and it left you less keen on immediately firmware actions
  • It is a major firmware update that changes the system GUI and system options notable, so you do not wish to action a software update that will increase the learning curve
  • (less common but certainly happens) Your NAS system is part of a wider network of systems (part of a CMS) that either cannot or is not recommended to be individually updated without updating every other system at the same time

So, it is all fair and well for me to say ‘you should always update’, but the truth is that many have rather valid/understandable reasons for not actioning these straight away. Of course, the alternative would be for brands to automatically FORCE system updates through, or restrict an app/system able to connect with online services until the update is installed (as found with gaming services like Playstation Network and XBox Live) – but in a NAS, or even desktop/computer/phone-based systems these options would be INCREDIBLY UNPOPULAR! So, that is how we reached the current state of affairs between the NAS Brands, their system updates, individual app updates and how/when users choose to action them. So, how do we resolve this?


How to Remove QSnatch from your QNAP NAS Protecting Your Synology NAS from Ransomware
What is QNAP QLocker? How to Remove QLocker from your QNAP NAS

How Can You Stay On Top Of NAS Updates and Be Aware of Vulnerabilities on your NAS?

Many users might not be aware, but the majority of NAS brands (and indeed this extends to enterprise service providers like NetApp, cloud storage like Google Drive and large blob type storage like AWS and Azure) have an online portal that, known as the Security Advisory, that details the latest vulnerabilities, issues, faults and issues that are raised on their respective platforms. These are then available for public view (as they are submitted) and their effect, danger, current investigated status, date of the resolution and recommended action are then displayed. See Below:

Click to view slideshow.


These pages are almost certainly a legal requirement as part of their term of service and due diligence, not just a kind and wholesome gesture. However, it can be INCREDIBLY INTIMIDATING to read through them – even a 5-minute glance will make you question how on earth you have not been hacked yet! However, many of these vulnerabilities are exceptionally small and are built on exceptionally outdated firmware (perhaps 2-3 years overdue), require exceptionally weak security settings in place, DMZ network settings or simply are specific to a particular tool being used in a certain way. Nevertheless, many users will see these listings of issues and go one of two ways. One, they IMMEDIATELY UPDATE EVERYTHING and regularly update as soon as updates appear (regardless of the reasons against it listed earlier). Two, they look at the vulnerabilities, scroll through, see that none of them appear to be applicable to their own network hardware/storage setup and then continue to not-update until something more specific to their setup appears. There are pros and cons to either action of course, but better to have all the facts and listed vulnerabilities at your disposal than to proceed on just hunches and guesses!

How to Automatically Get Updated When Synology and QNAP NAS Vulnerabilities are Reported

Pretty much ALL of the brands in NAS, Data Storage and Cloud services have these security advisory pages, but the idea of checking these pages manually (i.e. bookmark etc) every day, week or month is too much of a hassle for many. On the other hand, they all arrive with an RSS feed link that allows users to subscribe to updates BUT many users are not even aware of how to apply an RSS feed (it’s a complex XML feed of text that needs to be injected into an appropriate RSS feed client/agent – so yeah, hardly noob friendly). So, in order to make this 1000x easier, I have (and by me, I mean Eddie the Web Guy spent time on it and I made this article!) made this page that will be constantly updated with the latest vulnerabilities reported on the popular NAS brands and storage-related manufacturers. It is still being built (so more brands are being added) but it will allow you to just chuck your email address below (will not be used for profit or spamming etc) and then you will get an alter EVERY TIME a new security vulnerability is updated by the brands (this is automated, so it will appear here as soon as it appears on the respective security advisory page). Additionally, there will be links back to the brand/manufacturer site so you can find out more about individual exploits and vulnerabilities, how they work, what they do and (most importantly) give you a better idea of whether you should update your NAS/Storage system or not. I hope you find it helpful and if you have any recommendations or idea of what we should add to this page/service to make it even better – let us know in the comments or directing here –

Sign Up Below to Get Updates as New Vulnerabilities Are Reported

Articles Get Updated Regularly - Get an alert every time something gets added to this page!


QNAP NAS Current Vulnerabilities and Exploits [OPEN 🔗]

Command Injection in QTS Thu, 24 Jun Link
Command Injection in QTS Insecure Storage of Sensitive Information in myQNAPcloud Link Wed, 16 Jun Link
Insecure Storage of Sensitive Information in myQNAPcloud Link SMB Out-of-Bounds Read in QTS Wed, 16 Jun Link
SMB Out-of-Bounds Read in QTS Out-of-Bounds Read in QSS Fri, 11 Jun Link
Out-of-Bounds Read in QSS Inclusion of Sensitive Information in QSS Fri, 11 Jun Link
Inclusion of Sensitive Information in QSS Improper Access Control in Helpdesk Fri, 11 Jun Link
Improper Access Control in Helpdesk Post-Authentication Reflected XSS in Qcenter Thu, 03 Jun Link
Post-Authentication Reflected XSS in Qcenter Command Injection in Video Station Thu, 03 Jun Link
Command Injection in Video Station DOM-Based XSS in QTS Thu, 03 Jun Link
DOM-Based XSS in QTS Relative Path Traversal in QTS Fri, 21 May Link
Relative Path Traversal in QTS Qlocker Ransomware Fri, 21 May Link
Qlocker Ransomware in Roon Server Fri, 14 May Link
in Roon Server eCh0raix Ransomware Fri, 14 May Link
eCh0raix Ransomware Command Injection in Malware Remover Thu, 13 May Link
Command Injection in Malware Remover Improper Access Control in Music Station Thu, 06 May Link
Improper Access Control in Music Station AgeLocker Ransomware Thu, 29 Apr Link
AgeLocker Ransomware Improper Authorization in HBS 3 (Hybrid Backup Sync) Thu, 22 Apr Link
Improper Authorization in HBS 3 (Hybrid Backup Sync) SQL Injection in Multimedia Console and the Fri, 16 Apr Link
SQL Injection in Multimedia Console and the Command Injection in QTS Fri, 16 Apr Link
Command Injection in QTS Cross-site Scripting in File Station Fri, 16 Apr Link
Cross-site Scripting in File Station


SYNOLOGY NAS Current Vulnerabilities and Exploits [OPEN 🔗]

Synology-SA-21:21 Audio Station Important Resolved 2021-06-16 16:05:29 UTC+8
Synology-SA-21:20 FragAttacks Moderate Ongoing 2021-05-12 18:26:08 UTC+8
Synology-SA-21:19 SRM Important Resolved 2021-05-11 14:23:32 UTC+8
Synology-SA-21:18 Hyper Backup Moderate Resolved 2021-05-04 13:37:52 UTC+8
Synology-SA-21:17 Samba Moderate Ongoing 2021-05-06 11:28:17 UTC+8
Synology-SA-21:16 ISC BIND Moderate Ongoing 2021-05-03 10:34:51 UTC+8
Synology-SA-21:15 Antivirus Essential Important Resolved 2021-04-28 08:12:48 UTC+8
Synology-SA-21:14 OpenSSL Not affected Resolved 2021-03-29 08:56:36 UTC+8
Synology-SA-21:13 Samba AD DC Important Ongoing 2021-05-13 17:31:08 UTC+8
Synology-SA-21:12 Synology Calendar Moderate Resolved 2021-06-19 10:53:03 UTC+8
Synology-SA-21:11 Download Station Important Resolved 2021-06-19 11:15:17 UTC+8
Synology-SA-21:10 Media Server Moderate Resolved 2021-06-19 10:55:28 UTC+8
Synology-SA-21:09 WebDAV Server Moderate Resolved 2021-02-23 11:18:19 UTC+8
Synology-SA-21:08 Docker Low Resolved 2021-06-13 11:21:28 UTC+8
Synology-SA-21:07 Synology Directory Server Moderate Resolved 2021-02-23 11:17:51 UTC+8
Synology-SA-21:06 CardDAV Server Important Resolved 2021-02-23 11:17:26 UTC+8
Synology-SA-21:05 Audio Station Important Resolved 2021-02-23 09:52:31 UTC+8
Synology-SA-21:04 Video Station Moderate Resolved 2021-06-10 16:25:07 UTC+8
Synology-SA-21:03 DSM Important Pending 2021-06-11 09:45:46 UTC+8
Synology-SA-21:02 Sudo Low Ongoing 2021-06-02 17:00:07 UTC+8


ASUSTOR NAS Vulnerabilities and Exploits [OPEN 🔗]

05 24 2021 Security advisory for FragAttack
03 29 2021 ASUS ASMB8-iKVM and ASMB9-iKVM Firmware Security Update for ASUS Server Products
03 24 2021 ASUS SMM Privilege Security Update (CVE-2021-26943) for ASUS SKL Notebook PCs
03 09 2021 Security advisory for DNSpooq
07 10 2020 ASUS ScreenPad 2 Upgrade Tool Security Update (CVE-2020-15009) for ASUS PCs with ScreenPad 1.0 (UX450FDX, UX550GDX and UX550GEX)
04 14 2020 ASUS Update Regarding Mitigation for Known Intel CPU Vulnerabilities
04 09 2020 ASUS Device Activation Security Update (CVE-2020-10649) for ASUS Notebook PCs
03 18 2020 Security Advisory for CVE-2019-15126 (Kr00k)
03 09 2020 Security Notice for CVE-2018-18287
02 14 2020 ROG Gaming Center Package Security Update
11 26 2019 New firmware update for wireless router RT-AC1750_B1 RT-AC1900 RT-AC1900P RT-AC1900U RT-AC86U RT-AC2900 RT-AC3100 RT-AC3200 RT-AC51U RT-AC51U+ RT-AC52U B1 RT-AC66U RT-AC66U B1 RT-AC66U_WHITE RT-AC67U RT-AC68P RT-AC68R RT-AC68RF RT-AC68RW RT-AC68U RT-AC68U 2 Pack RT-AC68U_WHITE RT-AC68W RT-AC750 RT-AC87R RT-AC87U RT-AC87W RT-N66U RT-N66U_C1 RT-N14U
11 15 2019 Important information about ASUSWRT security:
10 21 2019 ATK Package Security Update (CVE-2019-19235) for ASUS Notebook PCs
06 14 2019 BIOS Update Announcement for ASUS Notebook PCs
05 16 2019 New firmware update for wireless router RT-AC1750_B1 RT-AC1900 RT-AC1900P RT-AC1900U RT-AC2900 RT-AC3100 RT-AC3200 RT-AC51U RT-AC5300 RT-AC56S RT-AC56U RT-AC66U RT-AC66U B1 RT-AC66U_WHITE RT-AC67U RT-AC68P RT-AC68R RT-AC68RF RT-AC68RW RT-AC68U RT-AC68U 2 Pack RT-AC68U_WHITE RT-AC68W RT-AC750 RT-AC86U RT-AC87R RT-AC87U RT-AC87W RT-AC88U RT-N18U RT-N66U RT-N66U_C1
05 02 2019 Latest software announcement for ZenFone devices
08 14 2018 Security advisory for OpenVPN server
08 07 2018 Latest software announcement for ZenFone ZenPad devices
06 08 2018 Security advisory for VPNFilter malware
04 03 2018 Security Vulnerability Notice (CVE-2018-5999, CVE-2018-6000) for ASUS routers
10 31 2017 Update on security advisory for the vulnerability of WPA2 protocol
10 18 2017 Security advisory for the vulnerabilities of WPA2 protocol
2021 & 8711;
2020 & 8711;
2019 & 8711;
2018 & 8711;
2017 & 8711;
2016 & 8711;


Work In Progress – More Security Advisory Updates and Reports Coming Soon for Other Brands