DIVD-2022-00030 - Exposed QNAP
|Case lead||Ralph Horn|
|Versions||4.3.3 up to 4.4.1|
|Recommendation||If you received a notification of a vulnerability, patch your system with the information provided in this notification.|
|Last modified||08 Dec 2022 16:28|
QNAP urges users to immediately patch NAS devices after several were recently compromised and infected with malicious software. While the exact vulnerability is unknown, it is known that the threat actors targeted version 4.3.3 to version 4.4.1. Organizations and users are urged to upgrade to the latest version of QTS and disconnect their NAS from the internet.
By leveraging the vulnerability, an unauthenticated attacker with network access to the QNAP NAS can encrypt all files on the system. For more information on this vulnerability see the article from TheRecord.
What you can do
- We recommend to take the following steps:
- If you see a screen related to malware when accessing your QNAP, take a screenshot or a photo of this page.
- Update the QNAP to the latest version based on the following guide by QNAP: https://www.qnap.com/en/how-to/knowledge-base/article/manually-upgradedowngrade-firmware-by-qfinder
- Disable Auto Router Configuration with the following step:
- Log on to QTS as administrator and perform firmware upgrading via Control Panel > Firmware Upgrade.
- If you saw a malware screen, go to Malware Remover and click “Scan” You should remove any high-risk malware and reboot the QNAP afterwards
- Disable any port forwarding rules that expose the QNAP to the internet.
- Verify if the QNAP is removed from the internet
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
- We validate the vulnerability by checking whether the version is vulnerable from the patch and version number given in a http response.
|23 May 2022||DIVD starts investigating the scope and impact of the vulnerability.|
|23 May 2022||First version of this case file.|
|24 May 2022||First round of notifications sent to about 10000 hosts|
|24 May 2022||Data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt)|
|10 Jun 2022||In the second scan we sent over 15000 notifications concerning vulnerable hosts|
|10 Jun 2022||Data concerning the Netherlands shared with the Digital Trust Center and the Dutch Security Clearing House (Security Meldpunt) again|