back to article QNAP users: It's your turn to patch in a hurry

QNAP has issued a critical-rated warning for devices running its QTS operating system. According to the Friday advisory (second in this list, no direct link), malware has been discovered on devices that downloads and installs a vulnerable version of the firmware, QTS 4.2.5. The advisory doesn't identify the bugs the attack …

  1. petur

    The hole seems to have been in the Photo Station app, so upgrade that one ASAP!

    More info:

    https://www.qnap.com/en/support/con_show.php?cid=116

    (note to editor: there is a direct link from that advisory list, it is in the right-most column)

  2. Anonymous Coward
    Facepalm

    Malware discovered on QTS devices

    "malware has been discovered on devices that downloads and installs a vulnerable version of the firmware, QTS 4.2.5."

    What I want to know is how did the malware get onto the devices in the firstplace?

    1. Anonymous South African Coward Silver badge

      Re: Malware discovered on QTS devices

      Aye, would like to know as well.

      Maybe they opened it to the WWW and ne'er-do-wells discovered an exploit with which they can install rogue programs.

      1. petur

        Re: Malware discovered on QTS devices

        If you expose its WWW side to the net...

        The hole was in their Photo Station app, which has a web interface. That's where they got in.

        The malware was a bitcoin miner (AFAIK, maybe there were others?), and they have a malware remover app that they update whenever they know about nasties targeting their NAS models.

        1. Korev Silver badge

          Re: Malware discovered on QTS devices

          Exactly why my Synology NAS is kept firmly behind my firewall with all of the remote access stuff disabled.

  3. Mark 65

    Users should check whether their firmware has been changed to 4.2.5, and if so, run the company's malware remover (version 2.1.2), and install QTS 4.3.3 if the device supports it; if not, users should install the latest official 4.2.5 release.

    Run that past me once more QNAP. If it's on a vulnerable version then update it if possible else download the latest copy of the vulnerable version? i.e. your box is now fucked. I think they need to patch boxes that cannot run 4.3.n

    1. petur

      It installed a 'patched' version of the latest firmware containing malware, so the hole is not in 4.2.5, it was fixed in that version.

      The malware creators installed their 4.2.5 infected version so users would think they are OK and the system would not see any need to update.

      1. Mark 65

        So what's to stop them loading a "patched" version of any other version of the firmware? I'm assuming 4.2.5 was the latest available when they figured it out. How did the original infection occur as a previous poster stated?

        There's clearly something we're not being told about the vulnerability of these systems and their firmware.

        QNAP are not the most upfront organisation. They repeatedly insisted I was using an incompatible UPS when the system sent a powerout signal to the UPS on power loss. I was forced to by another model in the same series of UPS (where the only difference was the battery size, no other difference) that was on the supported list. This also failed. They told me I'd bought a defective UPS. The UPS manufacturer got involved and low-and-behold a patch was issued to the firmware. No mention of UPS fixes in it but the problem went away. Blame-shifting deceitful bastards as far as I'm concerned.

        1. Mark 65

          FYI 4.2.6 now available for those not able to install 4.3.x

  4. JCDenton

    Photo Station gone so me no worry

    I removed unnecessary apps such as Photo Station so I consider myself immune to this exploit as well as all other exploits in the future, past, and present.

  5. Doctor T

    bitcoin mining - seriously?

    my qnap has a fricken celeron in it. how much bitcoin is that gonna mine over the course of a year? maybe 3 cents worth? these malware designers are complete idiots...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019