fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

QNAP Patches QTS Vulnerabilities Allowing NAS Device Takeover

QNAP Patches QTS Vulnerabilities Allowing NAS Device Takeover

Network-attached storage (NAS) maker QNAP today released security updates to address vulnerabilities that could enable attackers to take control of unpatched NAS devices following successful exploitation.

The eight vulnerabilities patched today by QNAP affect all QNAP NAS devices running vulnerable software.

These command injection and cross-site scripting (XSS) security bugs the company rated as medium and high severity security issues.

The XSS vulnerabilities could allow remote attackers to inject malicious code within vulnerable application versions.

Leveraging command injection bugs enable them to elevate privileges, execute arbitrary commands on the compromised device or app, and take over the underlying operating system.

OS command injection and cross-site scripting

The list of software some of today’s security updates apply to includes the QNAP QuTS hero high-performance ZFS-based operating system and the QTS NAS OS.

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

QNAP has addressed the CVE-2020-2495, CVE-2020-2496, CVE-2020-2497, and CVE-2020-2498 XSS bugs, as well as the CVE-2019-7198 command injection bug in these versions of QTS and QuTS hero:• QuTS hero h4.5.1.1472 build 20201031 and later
• QTS 4.5.1.1456 build 20201015 and later
• QTS 4.4.3.1354 build 20200702 and later
• QTS 4.3.6.1333 build 20200608 and later
• QTS 4.3.4.1368 build 20200703 and later
• QTS 4.3.3.1315 build 20200611 and later
• QTS 4.2.6 build 20200611 and later

The NAS maker urges customers to update their systems to the latest version to prevent future attacks from impacting their devices.

To deploy QTS and QuTS hero security updates on your NAS device follow this procedure:

  1. Log on to QTS or QuTS hero as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update. QTS or QuTS hero downloads and installs the latest available update.

QNAP also fixed XSS bugs affecting Music Station (CVE-2020-2494), Multimedia Console (CVE-2020-2493), and Photo Station (CVE-2020-2491).

The full procedure you need to follow to update the apps to their latest versions on your NAS includes these steps:

  1. Log on to QTS as administrator.
  2. Open the App Center, then click , and type the name of the app in the search box that appears.
  3. Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
  4. Click OK. The application is updated.

QNAP NAS devices are tempting targets

Given that NAS devices are commonly used for backup and file sharing, they are also regularly targeted by attackers who attempt to steal sensitive documents or deploy malware payloads.

QNAP warned customers in September of ongoing attacks targeting publicly exposed NAS devices with AgeLocker ransomware by exploiting older and vulnerable versions of Photo Station.

The company also warned of eCh0raix ransomware attacks that targeted flaws in the same application starting with June 2020.

In an August report, Qihoo 360’s Network Security Research Lab (360 Netlab) said that hackers were also scanning for vulnerable NAS devices and trying to exploit a remote code execution (RCE) firmware vulnerability addressed by QNAP in July 2017.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

Another warning was issued by QNAP two months ago, on October 21st, when it alerted users that some versions of the QTS operating system are affected by the critical Windows ZeroLogon (CVE-2020-1472) vulnerability when the devices were configured as a domain controller.

While NAS devices aren’t commonly used as a Windows domain controllers, some orgs could enable the feature for user account management, authentication, and for enforcing domain security.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us