QNAP ‘urgently’ fixing vulnerabilities in multiple systems

Data-storage hardware vendor QNAP said it is “urgently” fixing two vulnerabilities that allow hackers to remotely access systems.

A company spokesperson noted that the vulnerabilities, CVE-2022-27597 and CVE-2022-27598, affect four different products and that the bugs have already been fixed in two of them.

The bugs cause stability issues and unpredictable code behavior. A malicious actor could use those problems to get full access to a QNAP device.

The Taiwan-based company is urging customers to update the firmware for versions that have fixes available.

“For QuTScloud and QVP users, we advise reviewing and securing the credentials of all user accounts by using strong passwords,” the spokesperson said. “It is also recommended that users change their passwords periodically as a good practice in account management.”

The cybersecurity company that discovered the vulnerabilities, Sternum, told The Record that it was running its security system on a QNAP network-attached storage (NAS) device when it got a bunch of security alerts warning of multiple memory access violations.

Amit Serper, director of security research for Sternum, said the vulnerabilities were an example of lackluster security tests done on devices from many companies during development.

“Sadly, this story of this vulnerability is anything but surprising,” Serper said. “With tens of billions of devices in circulation, and many used for critical functions in healthcare, infrastructure, communication, transportation, etc., the threat posed by similar yet-to-be-detected vulnerabilities should not be taken lightly.”

Serper added that a conservative estimate based on searches through threat intelligence tool Shodan show that more than 80,000 QNAP devices worldwide still have the vulnerabilities.

The news comes after QNAP has spent more than a year working to protect customers from the Deadbolt ransomware group, which has specifically exploited vulnerabilities in the company’s NAS storage hardware.

Blockchain research company Chainalysis found that throughout 2022, Deadbolt brought in more than $2.3 million from an estimated 4,923 victims, with an average ransom payment size of $476, compared to over $70,000 for all ransomware strains.

QNAP has previously warned of different ransomware strains being used to target customers, including the Checkmate ransomware and the ech0raix ransomware.