Piecemeal patches from QNAP
Shortly after the disclosure of several security holes in QNAP's NAS and network video recording systems that enabled potential attackers to gain full control, the company has started to release updated versions of its software; however, the security updates are only being released bit by bit.
The first release updated the Surveillance Station Pro software to version 3.0.1 (the latest version is 3.0.2), although this update was only applicable to NAS systems with firmware version 4. When The H's associates at heise Security pointed out that there are still systems with the older firmware version 3.8 in operation, and that these systems continue to be vulnerable, the company initially responded with silence – and a short time later, with Surveillance Station Pro v2.6. At present, users still need to install this update as a direct download; QNAP's app store continues to offer the vulnerable version 2.5 to download. Updated firmware versions for the generally vulnerable VioStor surveillance systems became available yesterday.
QNAP generally continues to keep a low profile in this matter. The company's web pages offer neither information on the nature of the problem nor on how to fix it. The only updating tips can be found in a posting by a QNAP employee on a forum for registered users. While the posting only vaguely mentions a potential security issue and has been repeatedly edited over the past few days, it does provide working links to the relevant downloads. A similar posting with links to current firmware files is also available to VioStor administrators.
Since March, Tim Herres and David Elze from the Daimler TSS Offensive Security team have tried to notify the company about this serious security hole, which has made thousands of systems highly vulnerable. As the security hole, and potential ways of exploiting it, are already being discussed on the relevant forums, administrators should act immediately.