fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

QNAP Patches Critical Vulnerability In Surveillance Station NAS App

QNAP Patches Critical Vulnerability In Surveillance Station NAS App

QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software.

Surveillance Station is QNAP’s network surveillance Video Management System (VMS), a software solution that can help users manage and monitor up to 12 IP cameras.

It is a Turbo NAS standard application with support for over 3,000 IP camera models, and it can be installed from the company’s QTS App Center.

Critical RCE bug fixed in the latest app versions

The critical security flaw patched today by QNAP is a stack-based buffer overflow vulnerability impacting QNAP NAS devices running Surveillance Station.

“If exploited, this vulnerability allows attackers to execute arbitrary code,” QNAP explains in a security advisory from today.

When successfully exploiting it for arbitrary code execution, the attackers will also regularly subvert any security service or anti-malware solutions running on the compromised device.

QNAP has already fixed the critical vulnerability in the following software versions:

  • Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS)
  • Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)

The company has also patched a medium severity cross-site scripting (XSS) vulnerability affecting earlier versions of the Photo Station app used to upload images to QNAP NAS device, create albums, or view them remotely.

“If exploited, this vulnerability allows remote attackers to inject malicious code,” according to QNAP. The security bug was addressed in Photo Station 6.0.11 and later.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

How to update to the latest versions

Given the vulnerabilities’ severity ratings, customers should update both apps to the latest available versions as soon as possible.

To do that, you have to log into your NAS devices as admin and use the App Center to look for app updates.

To update Surveillance Station and Photo Station on your NAS, you need to go through the following steps:

  1. Log into QTS as administrator.
  2. Open the App Center, and then click . A search box appears.
  3. Type “Surveillance Station” and “Photo Station”, and then press ENTER. The application appears in the search results.
  4. Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
  5. Click OK. The application is updated.

NAS devices are attractive targets

NAS devices are often targeted by attackers who want to steal sensitive documents or deploy info-stealing malware since they are commonly used for backing up and sharing sensitive files.

QNAP alerted customers in September 2020 of an AgeLocker ransomware campaign targeting Internet exposed NAS devices in attacks exploiting older and vulnerable Photo Station versions.

Previously, it also warned of eCh0raix ransomware attacks targeting another series of Photo Station app security flaws starting with June 2020.

Also Read: How to Send Mass Email Without Showing Addresses: 2 Great Workarounds

Qihoo 360’s 360 Netlab also said in August that attackers were scanning for vulnerable NAS devices trying to exploit a remote code execution (RCE) firmware vulnerability fixed over three years ago, in July 2017.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us