QNAP NAS vulnerabilities not patched after almost a year

Discussion in 'Frontpage news' started by Hilbert Hagedoorn, Jan 18, 2017.

  1. Hilbert Hagedoorn

    Hilbert Hagedoorn Don Vito Corleone Staff Member

    Messages:
    45,125
    Likes Received:
    11,809
    GPU:
    AMD | NVIDIA
  2. sdamaged99

    sdamaged99 Ancient Guru

    Messages:
    2,037
    Likes Received:
    27
    GPU:
    Asus TUF 6800XT
    This is why i use unRAID and not a "consumer" NAS
     
  3. snip3r_3

    snip3r_3 Ancient Guru

    Messages:
    2,981
    Likes Received:
    0
    GPU:
    1070
    While unRAID is not a commercial off the shelf NAS, it is still very much "consumer" grade. It is simply put, just another Linux based OS, like QNAP QTS, Synology DSM, and the various WD/Seagate/Netgear/Asustor/etc. variants.

    While there are BSD (like FreeNAS) and Windows based NAS distributions/off the shelf units, each has vulnerabilities. You always have to stay up to date, and preferably with a vendor that is focused on security as simply updating wouldn't have helped QNAP users against the MITM attack here.
     
  4. Kaarme

    Kaarme Ancient Guru

    Messages:
    3,197
    Likes Received:
    1,993
    GPU:
    Sapphire 390
    Maybe if the attacker could make the device explode like Note 7, the company would do something about it.
     

  5. __hollywood|meo

    __hollywood|meo Ancient Guru

    Messages:
    2,991
    Likes Received:
    139
    GPU:
    6700xt @2.7ghz
    this happened because QNAP doesnt properly encrypt firmware update traffic. the simple fact that such absurd oversights occur to this day doesnt surprise me anymore; wat im shocked by is that the company was notified a year ago & has not updated the vulnerable protocol in any way.

    this kind of sloppy crap also highlights exactly why automatic updates are cancer. if you want a secure system, dont trust others to do your work for you.
     
  6. Kaarme

    Kaarme Ancient Guru

    Messages:
    3,197
    Likes Received:
    1,993
    GPU:
    Sapphire 390
    No, not really. The biggest weakness is always the human users. Botnets thrive because people don't manually update software and firmware, not even the 1234 factory default passwords. Out of laziness, ignorance, or not enough workforce in business (that is, supposedly saving money). Remove automatic updates and the already nasty situation will first explode, then implode.
     

Share This Page