#1 Trusted Cybersecurity News Platform
Followed by 4.50+ million
The Hacker News Logo
Subscribe – Get Latest News
Cybersecurity

QNAP | Breaking Cybersecurity News | The Hacker News

Category — QNAP
QNAP Patches New Flaws in QTS and QuTS hero Impacting NAS Appliances

QNAP Patches New Flaws in QTS and QuTS hero Impacting NAS Appliances

May 22, 2024 Data Security / Vulnerability
Taiwanese company QNAP has rolled out fixes for a set of medium-severity flaws impacting QTS and QuTS hero, some of which could be exploited to achieve code execution on its network-attached storage (NAS) appliances. The  issues , which impact QTS 5.1.x and QuTS hero h5.1.x, are listed below - CVE-2024-21902  - An incorrect permission assignment for critical resource vulnerability that could allow authenticated users to read or modify the resource via a network CVE-2024-27127  - A double free vulnerability that could allow authenticated users to execute arbitrary code via a network CVE-2024-27128, CVE-2024-27129, and CVE-2024-27130  - A set of buffer overflow vulnerabilities that could allow authenticated users to execute arbitrary code via a network All the shortcomings, that require a valid account on NAS devices, have been addressed in QTS 5.1.7.2770 build 20240520 and QuTS hero h5.1.7.2770 build 20240520. Aliz Hammond of watchTowr Labs has been credited with  discoverin
Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files

Raspberry Robin Returns: New Malware Campaign Spreading Through WSF Files

Apr 10, 2024 Cyber Crime / Malvertising
Cybersecurity researchers have discovered a new Raspberry Robin campaign wave that has been propagating the malware through malicious Windows Script Files ( WSFs ) since March 2024. "Historically, Raspberry Robin was known to spread through removable media like USB drives, but over time its distributors have experimented with other initial infection vectors," HP Wolf Security researcher Patrick Schläpfer  said  in a report shared with The Hacker News. Raspberry Robin, also called QNAP worm, was  first spotted  in September 2021 that has since  evolved into a downloader  for various other payloads in recent years, such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and TrueBot, and also serving as a precursor for ransomware. While the malware was initially distributed by means of USB devices containing LNK files that retrieved the payload from a compromised QNAP device, it has since  adopted other methods  such as social engineering and malvertising. It's attribute
The Secret Weakness Execs Are Overlooking: Non-Human Identities

The Secret Weakness Execs Are Overlooking: Non-Human Identities

Oct 03, 2024Enterprise Security / Cloud Security
For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,
QNAP Releases Patch for 2 Critical Flaws Threatening Your NAS Devices

QNAP Releases Patch for 2 Critical Flaws Threatening Your NAS Devices

Nov 06, 2023 Vulnerability / Data Security
QNAP has released security updates to address two critical security flaws impacting its operating system that could result in arbitrary code execution. Tracked as  CVE-2023-23368  (CVSS score: 9.8), the vulnerability is described as a command injection bug affecting QTS, QuTS hero, and QuTScloud. "If exploited, the vulnerability could allow remote attackers to execute commands via a network," the company said in an advisory published over the weekend. The shortcoming spans the below versions - QTS 5.0.x (Fixed in QTS 5.0.1.2376 build 20230421 and later) QTS 4.5.x (Fixed in QTS 4.5.4.2374 build 20230416 and later) QuTS hero h5.0.x (Fixed in QuTS hero h5.0.1.2376 build 20230421 and later) QuTS hero h4.5.x (Fixed in QuTS hero h4.5.4.2374 build 20230417 and later) QuTScloud c5.0.x (Fixed in QuTScloud c5.0.1.2374 and later) Also fixed by QNAP is another command injection flaw in QTS, Multimedia Console, and Media Streaming add-on ( CVE-2023-23369 , CVSS score: 9.0) th
cyber security

The State of SaaS Security 2024 Report

websiteAppOmniSaaS Security / Data Security
Learn the latest SaaS security trends and discover how to boost your cyber resilience. Get your free…
QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates

QNAP Fixes Critical Vulnerability in NAS Devices with Latest Security Updates

Jan 31, 2023 Data Security / Vulnerability
Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage (NAS) devices that could lead to arbitrary code injection. Tracked as  CVE-2022-27596 , the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1. "If exploited, this vulnerability allows remote attackers to inject malicious code," QNAP  said  in an advisory released Monday. The exact technical specifics surrounding the flaw are unclear, but the NIST National Vulnerability Database (NVD) has categorized it as an SQL injection vulnerability. This means an attacker could send specially crafted SQL queries such that they could be weaponized to bypass security controls and access or alter valuable information. "Just as it may be possible to read sensitive information, it is also possible to make changes or even delete this information with a SQL injection attack," according to  MI
New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

New Analysis Reveals Raspberry Robin Can be Repurposed by Other Threat Actors

Jan 11, 2023 Cyber Threat / Malware
A new analysis of Raspberry Robin's attack infrastructure has  revealed  that it's possible for other threat actors to repurpose the infections for their own malicious activities, making it an even more potent threat. Raspberry Robin (aka QNAP worm), attributed to a threat actor dubbed DEV-0856, is a malware that has  increasingly   come under the radar  for being used in attacks aimed at finance, government, insurance, and telecom entities. Given its use by multiple threat actors to drop a wide range of payloads such as SocGholish , Bumblebee ,  TrueBot ,  IcedID , and  LockBit  ransomware, it's believed to be a pay-per-install (PPI) botnet capable of serving next-stage malware. Raspberry Robin, notably, employs infected USB drives as a propagation mechanism and leverages breached QNAP network-attached storage (NAS) devices as first-level command-and-control (C2). Cybersecurity firm SEKOIA said it was able to identify at least eight virtual private servers (VPSs) hos
Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

Jun 23, 2022
QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Wednesday said it's in the process of fixing a critical three-year-old PHP vulnerability that could be abused to achieve remote code execution. "A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config," the hardware vendor  said  in an advisory. "If exploited, the vulnerability allows attackers to gain remote code execution." The vulnerability, tracked as  CVE-2019-11043 , is rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system. That said, it's required that Nginx and php-fpm are running in appliances using the following QNAP operating system versions - QTS 5.0.x and later QTS 4.5.x and later QuTS hero h5.0.x and later QuTS hero h4.5.x and later QuTScloud c5.0.x and later "As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not aff
QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices

QNAP Releases Firmware Patches for 9 New Flaws Affecting NAS Devices

May 07, 2022
QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Friday released security updates to patch nine security weaknesses, including a critical issue that could be exploited to take over an affected system. "A vulnerability has been reported to affect QNAP VS Series NVR running QVR," QNAP  said  in an advisory. "If exploited, this vulnerability allows remote attackers to run arbitrary commands." Tracked as  CVE-2022-27588  (CVSS score: 9.8), the vulnerability has been addressed in QVR 5.1.6 build 20220401 and later. Credited with reporting the flaw is the Japan Computer Emergency Response Team Coordination Center (JPCERT/CC). Aside from the critical shortcoming, QNAP has also resolved three high-severity and five medium-severity bugs in its software - CVE-2021-38693  (CVSS score: 5.3) - A  path traversal vulnerability  in thttpd affecting QNAP devices running QTS, QuTS hero, QuTScloud, and QVR Pro Appliance, leading to information disclosure C
QNAP Advises to Mitigate Remote Hacking Flaws Until Patches are Available

QNAP Advises to Mitigate Remote Hacking Flaws Until Patches are Available

Apr 28, 2022
Network-attached storage (NAS) appliance maker QNAP on Wednesday  said  it's working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software. Netatalk  is an open-source implementation of the Apple Filing Protocol ( AFP ), allowing Unix-like operating systems to serve as file servers for Apple macOS computers. On March 22, 2022, its maintainers released  version 3.1.13  of the software to resolve major security issues — CVE-2021-31439 ,  CVE-2022-23121 ,  CVE-2022-23122 ,  CVE-2022-23123 ,  CVE-2022-23124 ,  CVE-2022-23125 , and  CVE-2022-0194  — that could be exploited to achieve arbitrary code execution. "This vulnerability [CVE-2022-23121] can be exploited remotely and does not need authentication," NCC Group researchers  noted  last month. "It allows an attacker to get remote code execution as the 'nobody' user on the NAS. This user can access private shares that would
QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities

QNAP Advises Users to Update NAS Firmware to Patch Apache HTTP Vulnerabilities

Apr 22, 2022
Network-attached storage (NAS) appliance maker QNAP on Thursday said it's investigating its lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month. The critical flaws, tracked as  CVE-2022-22721 and CVE-2022-23943 , are rated 9.8 for severity on the CVSS scoring system and impact Apache HTTP Server versions 2.4.52 and earlier - CVE-2022-22721  - Possible buffer overflow with very large or unlimited LimitXMLRequestBody CVE-2022-23943  - Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server Both the vulnerabilities, alongside CVE-2022-22719 and CVE-2022-22720, were remediated by the project maintainers as part of  version 2.4.53 , which was shipped on March 14, 2022. "While CVE-2022-22719 and CVE-2022-22720 do not affect QNAP products, CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,"
QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

QNAP Warns of OpenSSL Infinite Loop Vulnerability Affecting NAS Devices

Mar 31, 2022
Taiwanese company QNAP this week revealed that a selected number of its network-attached storage (NAS) appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library. "An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS," the company  said  in an advisory published on March 29, 2022. "If exploited, the vulnerability allows attackers to conduct denial-of-service attacks." Tracked as  CVE-2022-0778  (CVSS score: 7.5), the issue relates to a bug that arises when parsing security certificates to trigger a denial-of-service condition and remotely crash unpatched devices. QNAP, which is currently investigating its line-up, said it affects the following operating system versions – QTS 5.0.x and later QTS 4.5.4 and later QTS 4.3.6 and later QTS 4.3.4 and later QTS 4.3.3 and later QTS 4.2.6 and later QuTS hero h5.0.x and later QuTS hero h4.5.4 and later, and QuTScloud c5.0.x To date, t
'Dirty Pipe' Linux Flaw Affects a Wide Range of QNAP NAS Devices

'Dirty Pipe' Linux Flaw Affects a Wide Range of QNAP NAS Devices

Mar 15, 2022
Network-attached storage (NAS) appliance maker QNAP on Monday warned of a recently disclosed Linux vulnerability affecting its devices that could be abused to elevate privileges and gain control of affected systems. "A local privilege escalation vulnerability, also known as 'Dirty Pipe,' has been reported to affect the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x," the company  said . "If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code." The Taiwanese firm said it's continuing to thoroughly  investigate its product line  for the vulnerability and that QNAP NAS devices running QTS versions 4.x are immune to the Dirty Pipe flaw. Tracked as  CVE-2022-0847  (CVSS score: 7.8), the shortcoming resides in the Linux kernel that could permit an attacker to overwrite arbitrary data into any read-only files and allow for a complete takeover of vulnerable machines. "A
QNAP Warns of DeadBolt Ransomware Targeting Internet-Facing NAS Devices

QNAP Warns of DeadBolt Ransomware Targeting Internet-Facing NAS Devices

Jan 28, 2022
Taiwanese company QNAP has warned customers to secure network-attached storage (NAS) appliances and routers against a new ransomware variant called DeadBolt . "DeadBolt has been widely targeting all NAS exposed to the Internet without any protection and encrypting users' data for Bitcoin ransom," the company  said . "QNAP urges all QNAP NAS users to […] immediately update QTS to the latest available version." A query on IoT search engine Censys shows that at least 3,687 devices have been encrypted by the DeadBolt ransomware so far, with most NAS devices located in the U.S., Taiwan, France, Italy, the U.K., Hong Kong, Germany, the Netherlands, Poland, and South Korea. In addition, QNAP is also urging users to check if their NAS devices are public-facing, and if so, take steps to turn off the port forwarding function of the router and disable the Universal Plug and Play ( UPnP ) function of the QNAP NAS. The advisory comes as  Bleeping Computer  revealed t
QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

Sep 01, 2021
Network-attached storage (NAS) appliance maker QNAP said it's  currently   investigating  two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable. Tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), the  weaknesses  concern a high-severity buffer overflow in SM2 decryption function and a buffer overrun issue when processing ASN.1 strings that could be abused by adversaries to run arbitrary code, cause a denial-of-service condition, or result in disclosure of private memory contents, such as private keys, or sensitive plaintext — CVE-2021-3711  - OpenSSL SM2 decryption buffer overflow CVE-2021-3712  - Read buffer overruns processing ASN.1 strings "A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the c
Expert Insights / Articles Videos
Cybersecurity Resources