Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


BDFL - Memuneh
61189 posts

Uber Geek
+1 received by user: 11970

Administrator
Trusted
Geekzone
Lifetime subscriber

Topic # 152457 27-Sep-2014 09:54
Send private message

I know there's a discussion about the Bash vulnerability in our Linux sub-forum.

This is a post to warn home/small office users about NAS devices and this vulnerability. QNAP is being proactive and sent out an email today about this problem, which I suspect would affect other devices from Synology. Thecus, etc.

Remember the cryptolocker malware? This could easily be another vector for those malware to take over the NAS. 

Here is the email from QNAP:


QNAP Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.

As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:

 

  • Web administration
  • Web server
  • WebDAV
  • Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface
Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:

 

  • Login to QTS and disable the Web Server in Applications
  • Login to QTS and disable the secure connection (SSL) in General Settings
  • Disable NAS web administration using a SSH utility (such as putty): 

     

    • 1. Connect to the Turbo NAS with admin username and password
    • 2. Type the following command and hit the "Enter" key: /etc/init.d/thttpd.sh stop
Note: The NAS web administration will become unavailable after taking the above steps. To restore it:

 

  • Restart the Turbo NAS, or
  • Manually start the web administration via SSH by typing the following command: /etc/init.d/thttpd.sh start
QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at http://helpdesk.qnap.com.




Create new topic
3123 posts

Uber Geek
+1 received by user: 946

Trusted
Lifetime subscriber

  Reply # 1138682 27-Sep-2014 11:38
Send private message

I was mostly expecting this and disabled the web interfaces on both my NAS' (QNap and WD Live) when reports of cryptolocker started coming out. Very rarely used these interfaces anyway.

301 posts

Ultimate Geek
+1 received by user: 6

Trusted

  Reply # 1138690 27-Sep-2014 12:00
Send private message
3123 posts

Uber Geek
+1 received by user: 946

Trusted
Lifetime subscriber

  Reply # 1144148 30-Sep-2014 12:59
Send private message

Email from QNAP super early this morning:

QNAP Releases New QTS for the Turbo NAS with Fix on GNU Bash Environment Variable Command Injection Vulnerability

Taipei, Taiwan, September 29, 2014 – QNAP® Systems, Inc. today released a new version of QTS for its Turbo NAS lineup, fixing the GNU Bash Environment Variable Command Injection Vulnerability (CVE-2014-6271 and CVE-2014-7169), also known as "Shellshock," that can allow attackers to gain remote control over UNIX/Linux-based systems. The Turbo NAS may also be affected under certain conditions.

QNAP's security lab has verified the QTS version 4.1.1 Build 0927 and confirmed it has fixed the CVE-2014-6271 and CVE-2014-7169 vulnerability. Users are strongly advised to update their Turbo NAS units to this QTS version.

As the GNU Bash still have potential issues on CVE-2014-6277, which is not confirmed to be solved yet, QNAP will keep on watching the solution provided by GNU and release the corresponding hot fixes.

QTS 4.1.1 Build 0927 is now available for update directly on the Turbo NAS management interface (QTS) and on QNAP's official download site (http://www.qnap.com/download) for the following Turbo NAS models:

TS-EC880 Pro, TS-EC1080 Pro, TS-EC880U-RP, TS-EC1280U-RP, TS-EC1680U-RP, TS-EC2480U-RP
TS-879 Pro, TS-1079 Pro, TS-879U-RP/EC879U-RP , TS-1279U-RP/EC1279U-RP, TS-1679U-RP/EC1679U-RP, SS-EC1279U-SAS-RP, SS-EC1879U-SAS-RP, SS-EC2479U-SAS-RP
TS-470, TS-470 Pro, TS-670, TS-670 Pro, TS-870, TS-870 Pro
TS-1270U-RP, TS-870U-RP, TS-1269U-RP,TS-869U-RP, TS-269 Pro/269L, TS-469 Pro/469L, TS-469U-RP/SP, TS-569 Pro/569L, TS-669 Pro/669L, TS-869 Pro/869L
SS-453 Pro, SS-853 Pro, TS-253 Pro, TS-453 Pro, TS-653 Pro, TS-853 Pro
TS-251, TS-451, TS-651, TS-851
HS-210, HS-251, IS-400 Pro
TS-121, TS-221, TS-421, TS-421U
TS-120, TS-220, TS-420, TS-420U
TS-119/119P+/119P II, TS-219/219P/219P+/219P II, TS-419P/419P+/419P II, TS-419U/419U+/419U II
TS-259 Pro/259 Pro+, TS-459 Pro/459 Pro+/459 Pro II, TS-459U-RP/SP/459U-RP+/SP+, TS-509 Pro, TS-559 Pro/559 Pro+/559 Pro II, TS-659 Pro/659 Pro+/659 Pro II, TS-859 Pro/859 Pro+, TS-859U/859U+
SS-439 Pro, SS-839 Pro, TS-239 Pro, TS-239H, TS-239 Pro II, TS-239 Pro II+, TS-439 Pro, TS-439 Pro II, TS-439 Pro II+, TS-439U RP/SP, TS-639 Pro
TS-110, TS-210, TS-410, TS-410U
TS-112, TS-212/212P/212-E, TS-412, TS-412U
TS-809 Pro, TS-809U-RP
Users with further questions can contact QNAP Technical Support at:

http://helpdesk.qnap.com


Interestingly, my TS-220 (which is in the list above) reports that it's running 4.1.0 and that it's up-to-date:





This has forced me to start a manual update.

EDIT 1: Cleanup the messy formatting a little

EDIT 2: Update complete, all systems go. Just a bit of a nuisance having to do it manually.

427 posts

Ultimate Geek
+1 received by user: 94

Subscriber

  Reply # 1144160 30-Sep-2014 13:17
Send private message

I was running the same firmware 4.1.0 0612 on my TS-419 PII and mine also said it was up to date.
I think I manually downloaded that version of 4.1.0 I from the firmware thread, and may not have been an 'officially released version' hence it has no update.

I'm manually doing 4.1.1 0927 now too.




Speedtest

752 posts

Ultimate Geek
+1 received by user: 33


  Reply # 1144209 30-Sep-2014 13:52
Send private message

Exposing a Qnap NAS to the internet is just asking for trouble. I wouldn't access mine remotely without my VPN in front of it.
The Shellshock patches haven't changed this fact. Perhaps this will give them a shakeup. If so, then I'll consider this whole debacle a blessing.

449 posts

Ultimate Geek
+1 received by user: 125


  Reply # 1148224 6-Oct-2014 14:22
Send private message
431 posts

Ultimate Geek
+1 received by user: 7

Trusted

  Reply # 1148234 6-Oct-2014 14:40
Send private message

If you have already updated to 4.1.1 0927, there is a newer build, 4.1.1 1003.






3005 posts

Uber Geek
+1 received by user: 737


  Reply # 1148457 6-Oct-2014 18:18
Send private message

Info on Netgear's response http://kb.netgear.com/app/answers/detail/a_id/25703

Being an ignoramus, how would I confirm if I have any static port forwarding to my ReadyNAS? (It's a Duo 2.)

17957 posts

Uber Geek
+1 received by user: 5171

Trusted
Lifetime subscriber

  Reply # 1148464 6-Oct-2014 18:20
Send private message

jonathan18: Info on Netgear's response http://kb.netgear.com/app/answers/detail/a_id/25703

Being an ignoramus, how would I confirm if I have any static port forwarding to my ReadyNAS? (It's a Duo 2.)


It would be done on your router. 

If you are the only one who has ever touched it, then you would likely remember. Otherwise login and look for port forwarding, NAT and or Firewall rules on the router. 

Webhead
2083 posts

Uber Geek
+1 received by user: 674

Moderator
Trusted
Lifetime subscriber

  Reply # 1148486 6-Oct-2014 18:49
Send private message

lapimate: Synology - affected models


Synology has an update out now. So should probably update if you haven't.. 




3005 posts

Uber Geek
+1 received by user: 737


  Reply # 1148571 6-Oct-2014 20:09
Send private message

networkn:
jonathan18: Info on Netgear's response http://kb.netgear.com/app/answers/detail/a_id/25703

Being an ignoramus, how would I confirm if I have any static port forwarding to my ReadyNAS? (It's a Duo 2.)


It would be done on your router. 

If you are the only one who has ever touched it, then you would likely remember. Otherwise login and look for port forwarding, NAT and or Firewall rules on the router. 


I had a feeling I'd made such setting changes well over a year ago, but couldn't remember where - and indeed I had set this up for a torrent client to run on the NAS, which I have now disabled (though assume this will stop me being able to download torrented files directly onto the NAS?).

Thanks for your help- will now just need to wait for Netgear to release a patch...

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.