A recent update to QNAP’s firmware, version 5.2.2.2950 build 20241114, caused many problems for people with QNAP Network Attached Storage (NAS) devices. Released around November 19th, the update prevented some from accessing their files.
A faulty firmware update was supposed to fix some security issues found in QNAP devices. These devices often face cyberattacks, and in February 2023, a serious vulnerability was found that allowed hackers to remotely execute SQL commands and potentially take control of the device. This flaw affected around 30,000 devices. Previously, the DeadBolt ransomware group had also attacked QNAP users, which prompted the company to start automatic emergency updates, even for users who turned off this option.
Unfortunately, the most recent update came with bugs found while logging in and starting up, and even with the system missing Python functionality, which some applications need. Although QNAP initially said the problems only affected a few models, like the TS-x53D and TS-x51 series, posts on user forums showed that many more devices were actually experiencing these issues. QNAP recommends that its NAS devices be connected to the internet only through a VPN or other secure methods.
After getting feedback from users, QNAP quickly removed the faulty firmware and put out a fixed version within 24 hours. They suggested that affected users either downgrade to an earlier firmware version and then upgrade to the new fixed one or contact QNAP support for help. However, that may not be enough, especially considering how serious this issue was. The point is to have accessible data, and the service causing the box not to work is a big deal.
Security researchers at WatchTowr found fifteen vulnerabilities in QNAP’s operating systems and cloud services. They reported these issues to QNAP, but some of the vulnerabilities were not fixed even after the usual 90-day period. As a result, WatchTowr decided to make their findings public.
Source: QNAP via Ars Technica
