Taiwanese vendor also issues mitigations for quartet of other serious flaws

QNAP fixes critical RCE vulnerabilities in NAS devices

UPDATED QNAP Systems has patched a pair of critical security vulnerabilities that could allow unauthenticated attackers to take control of its network-attached storage (NAS) devices.

The flaws, which were among a raft of serious bugs addressed by the Taiwanese hardware vendor last week, can both lead to remote code execution (RCE), according to a blog post published on March 31 by security researcher Yaniv Puyeski of SAM Seamless Network.

Sold for home and commercial use through subsidiaries in 28 countries, QNAP’s NAS devices are used for file sharing, virtualization, storage management, and surveillance applications.

Network-attached pwnage

A command injection vulnerability (CVE-2020-2509) in QNAP NAS operating systems QTS and QuTS Hero is exploitable via the web server, and is addressed in various QTS versions and builds, plus QuTS Hero h4.5.1.1491 build 20201119, released on April 16.

Patched in the same batch of firmware updates, the other critical bug (CVE-2020-36195) affects any QNAP NAS devices running Multimedia Console or the Media Streaming add-on.

With access to the DLNA server, attackers can exploit the flaw to create arbitrary file data, elevating to RCE on the remote NAS, according to Puyeski.

“Both vulnerabilities are simple to exploit if you know the exact technical details (which we didn't publish to protect customers),” Puyeski told The Daily Swig.

Catch up on the latest hardware security news

The researcher’s blog post demonstrates a Python script that takes over a NAS device using a simple reverse shell technique.

Requiring only network access to the vulnerable services, the critical, pre-authenticated flaws highlight an insecure, all-too-widespread way of using the devices, indicated Puyeski.

“Unfortunately, a lot of QNAP owners expose their device to the internet through port forwarding which puts them at very high risk to be hacked,” he explained.

The QNAP firmware updates also included a fix for a high severity cross-site scripting (XSS) vulnerability (CVE-2018-19942) in File Station, the QTS file management app.

The flaw, which was uncovered by Independent Security Evaluators, was fixed in several QTS versions/builds, QuTS hero h4.5.1.1472 build 20201031, and QuTScloud c4.5.4.1601 build 20210309 and QuTScloud c4.5.3.1454 build 20201013.

Puyeski noted that “the remediation process took quite some time. Legacy QNAP devices were not patched for more than four months, and only after we published the blog post QNAP deployed a fix.”


Another QNAP advisory indicates that a QNAP NAS package is still pending for v8.5.2 of third-party application Twonky Server after its vendor, Lynx Technology, patched a pair of high severity bugs in the media server that can be combined to damaging effect.

Found by Sven Krewitt of Risk Based Security and disclosed on March 16, the flaws include an improper access restriction vulnerability that can expose the administrator username and password, and a weak password obfuscation flaw facilitating password decryption.

On April 12, meanwhile, QNAP patched a heap-based buffer overflow vulnerability in Linux command Sudo in its QTS OS.

YOU MIGHT ALSO LIKE Django Debug Toolbar tripped up by SQL injection flaw

Disclosed by Qualys and quickly addressed in QuTS hero in January, the bug allows any unprivileged users to gain escalated root privileges on the vulnerable host.

The high severity CVE (CVE-2021-3156) – classed as medium risk by QNAP – affects all QNAP NAS devices.

With a patch still pending for QES, users of QNAP’s enterprise storage operating system are advised to disable SSH and Telnet except where these services are required.


Finally, an RCE exploit for a critical stack-based buffer overflow vulnerability (CVE-2020-2501) patched in QNAP’s Surveillance Station video management system in February was published on April 10 by SSD Secure Disclosure.

The Daily Swig has sent additional questions to QNAP. We will update the article if and when we receive responses.

This article was updated on April 20 and April 23 with comments from Yaniv Puyeski of SAM Seamless Network.

RELATED Cisco router flaws left small business networks open to abuse