May 20, 2024 at 10:07AM
QNAP’s vulnerabilities disclosed by watchTowr revealed 15 issues, with only 4 addressed. Six are accepted with no available patches, while the rest are still under embargo or have no solution. QNAP has a history of ransomware attacks and slow patching. CVE-2024-27130, with potential RCE, remains unpatched despite being acknowledged by QNAP.
After reviewing the meeting notes, it is clear that there are critical vulnerabilities in QNAP’s QTS, QuTSCLoud, and QTS hero operating systems that have not been adequately addressed despite being reported months ago.
The researchers at watchTowr discovered 15 vulnerabilities, with only four of them receiving patches. Six of the remaining 11 bugs were accepted and validated by QNAP, with all of them having CVEs assigned to them, but no patches have been released yet. The other five vulnerabilities are either still under embargo or have no fix available, prompting the recommendation that users retire their devices.
Furthermore, there have been instances where ransomware attacks targeted QNAP devices, raising concerns about the security of the vendor’s products.
Despite the delays in issuing patches, QNAP was cooperative throughout the disclosure process, even offering remote access to its testing environment for comprehensive vulnerability reporting. However, the patching speed has been cited as an issue. It’s also worth noting that QNAP has received criticism for its severity rating of a vulnerability in the past.
Of particular concern is the stack overflow vulnerability with the CVE identifier CVE-2024-27130, which can lead to remote code execution. This vulnerability was reported on January 3 and has been acknowledged by QNAP, but a patch has not been released. The researchers have gone as far as releasing a proof of concept exploit code on GitHub to potentially expedite the patching process.
Given QNAP’s history of suffering damaging attacks, it is essential for the vendor to accelerate the development of patches to address these vulnerabilities.
The Register’s attempts to get a response from QNAP were unsuccessful, as the vendor did not immediately provide any comments or refutations.
In summary, it is crucial for QNAP to prioritize the development and release of patches to address the reported vulnerabilities and to improve its security practices to prevent further potential threats to its users’ devices.