Researchers are calling out QNAP for closely monitoring patch development

Infosec experts say they were forced to go public after QNAP failed to fix several vulnerabilities reported to the company months ago.

Researchers at watchTowr said Friday that they drilled into QNAP’s QTS, QuTSCLoud and QTS hero operating systems and found 15 vulnerabilities, with only four of the holes patched.

Six of the remaining eleven bugs have been accepted and validated by QNAP, and all have been assigned CVEs, but despite most being reported in early January, and one as early as December 2023, the vendor has still not released any patches.

The other five are either still embargoed, per the cybersecurity industry’s standard 90-day disclosure period, or have no resolution available. In that case, users should decommission their devices.

It is standard practice to give a vendor 90 days to fix and disclose a vulnerability reported to them by a researcher. It allows time to assess the threat, develop a solution, devise a strategy for deploying patches, and decide when and how to make it public.

Particularly generous researchers, or those who report particularly confusing bugs that cannot be easily fixed, will sometimes extend this 90-day period to ensure the vulnerability is properly patched, even if it means being stuck for a longer period of time. period must remain unresolved.

According to watchTowr, the majority of the bugs described were reported to QNAP in January, which means a May 17 disclosure would mean the researchers would give the vendor a much larger window to release patches.

“Here at watchTowr, we adhere to an industry-standard 90-day period for suppliers to respond to issues, as specified in our VDP,” said watchTowr. “We are typically generous in granting extensions of this in unusual circumstances, and QNAP has indeed received multiple extensions to allow for recovery.

“In cases where there is a clear ‘blocker’ to remediation – as was the case with WT-2023-0050 for example – we have extended this embargo even further to give the supplier sufficient time to analyze the problem, implement remediation , and for end users to apply these remedial measures.

“However, there must always be a point at which it is in the interest of the Internet community to make issues public.”

As Juniper Networks knows, watchTowr has no qualms about addressing vendors who ignore the 90-day disclosure period.

Despite the vendor’s apparent inability to release patches on time, the researchers said QNAP was very cooperative during the disclosure process. The vendor offered the watchTowr team remote access to the test environment, allowing for more comprehensive vulnerability reporting.

The researchers said it was “something unexpected that gave us the impression that they place the security of their users as a very high priority.” However, patch speed was an issue.

Full details of all 15 vulnerabilities reported by WatchTowr can be found here.

The register contacted Taiwan-based QNAP to find out more about the missing patches, and to ask if it would refute anything from watchTowr’s report, but there was no immediate response.

Nasty problems

QNAP’s security practices have been questioned numerous times in recent years. The most notable cases likely involved ransomware, with various strains firing shots at the vendor’s devices over the years.

In 2021, it was Qlocker and eCh0raix that exploited critical vulnerabilities that the vendor had patched just weeks earlier. After successful infections, Qlocker demanded 0.01 Bitcoin as a ransom – just over $500 at the exchange rate at the time.

The following year, another ransomware event occurred at the hands of DeadBolt. The criminals behind the operation launched at least four different waves of ransomware attacks on QNAP NAS devices, gradually updating the code for stronger and faster encryption.

The situation got so bad that the vendor took the controversial step of forcibly updating devices that users had not patched. Many NAS owners did not react positively at the time, as the updates could have led to significant data loss.

As recently as February, QNAP was also accused of botching the severity assessment of a vulnerability that both researchers and national security agencies agreed was in urgent need of patching. QNAP only assigned CVE-2023-50358 a severity rating of 5.8 out of 10.

Don’t take a nap over the latest bugs

WatchTowr researchers especially wanted to highlight CVE-2024-27130, a stack overflow vulnerability that does not require authentication and could lead to remote code execution (RCE) provided a valid NAS user shares a malicious file.

More worryingly, it is one of six vulnerabilities accepted and validated by QNAP – the company agrees the vulnerability is legitimate and needs to be fixed – but has not yet received a patch. Researchers first reported the bug on January 3.

It’s generally considered bad practice for anyone to release proof of concept (PoC) exploit code for vulnerabilities that haven’t been patched yet, but watchTowr has done this via GitHub, perhaps to expedite QNAP.

The researchers said they empathize with QNAP, which manages a codebase composed largely of decade-old code, and how the vendor is “working hard to squeeze out all the bugs.” Given the history of malicious attacks, patches should likely be developed at a faster pace. ®

Leave a Reply

Your email address will not be published. Required fields are marked *