«
»

QNAP Says To Update The Firmware On Your NAS To Avoid Being Pwned…. But Some People Claim To Be Pwned Even If They Do Update The Firmware

You might recall that I wrote about unknown threat actors targeting Internet exposed QNAP devices with ransomware. And that QNAP was force feeding updates to users to try and address this. This story continues with a press release being put out by QNAP yesterday which says among other things, this:

Recently the QNAP Product Security Incident Response Team (PSIRT) detected that cybercriminals are taking advantage of a patched vulnerability, described in the QNAP Security Advisory (QSA-21-57), to launch a cyberattack. On January 27, 2022, QNAP set the patched versions of system software as “Recommended Version”. If auto update for “Recommended Version” is enabled on your QNAP NAS, the system will automatically update to certain OS version to enhance security and protection of your QNAP NAS, mitigating the attack from criminals.

According to QNAP, the security bug has been addressed in the following versions of QTS and QuTS hero:

  • QTS 5.0.0.1891 build 20211221 and later
  • QTS 4.5.4.1892 build 20211223 and later
  • QuTS hero h5.0.0.1892 build 20211222 and later
  • QuTS hero h4.5.4.1892 build 20211223 and later
  • QuTScloud c5.0.0.1919 build 20220119 and later

But here’s where this may not be the case. A customer said in the QNAP forum that they were pwned even when they had the recommended firmware version installed. That implies that the threat actors are likely exploiting a different vulnerability that QNAP is either not aware of, or haven’t patched, or both. Which is bad news for QNAP users.

In my case since I own a QNAP NAS, I am looking at QNAP’s main rival Synology to see which one of their products is right for me. At this point it’s pretty clear that there are some serious security issues with QNAP products that don’t seem to be going away. Thus in the interest of being safe and secure, I will have to dump their products. And I suspect that other QNAP users may feel the same way because this crisis for QNAP simply isn’t going away.

This entry was posted on February 2, 2022 at 12:07 pm and is filed under Commentary with tags . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “QNAP Says To Update The Firmware On Your NAS To Avoid Being Pwned…. But Some People Claim To Be Pwned Even If They Do Update The Firmware”

  1. QNAP Extends Security Updates To EOL Devices To Head Off More Ransoware Attacks… Or To Keep Customers From Dumping Them | The IT Nerd Says:
    February 17, 2022 at 9:27 am

    […] fed updates to users of their NAS devices that caused various degrees of havoc. Though they later told users to update their firmware to avoid getting pwned. Though there were suggestions that you might […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: