QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software.
Surveillance Station is QNAP’s network surveillance Video Management System (VMS), a software solution that can help users manage and monitor up to 12 IP cameras.
It is a Turbo NAS standard application with support for over 3,000 IP camera models, and it can be installed from the company’s QTS App Center.
Critical RCE bug fixed in the latest app versions
The critical security flaw patched today by QNAP is a stack-based buffer overflow vulnerability impacting QNAP NAS devices running Surveillance Station.
“If exploited, this vulnerability allows attackers to execute arbitrary code,” QNAP explains in a security advisory from today.
When successfully exploiting it for arbitrary code execution, the attackers will also regularly subvert any security service or anti-malware solutions running on the compromised device.
QNAP has already fixed the critical vulnerability in the following software versions:
- Surveillance Station 126.96.36.199.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS)
- Surveillance Station 188.8.131.52.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)
The company has also patched a medium severity cross-site scripting (XSS) vulnerability affecting earlier versions of the Photo Station app used to upload images to QNAP NAS device, create albums, or view them remotely.
“If exploited, this vulnerability allows remote attackers to inject malicious code,” according to QNAP. The security bug was addressed in Photo Station 6.0.11 and later.
How to update to the latest versions
Given the vulnerabilities’ severity ratings, customers should update both apps to the latest available versions as soon as possible.
To do that, you have to log into your NAS devices as admin and use the App Center to look for app updates.
To update Surveillance Station and Photo Station on your NAS, you need to go through the following steps:
- Log into QTS as administrator.
- Open the App Center, and then click . A search box appears.
- Type “Surveillance Station” and “Photo Station”, and then press ENTER. The application appears in the search results.
- Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
- Click OK. The application is updated.
NAS devices are attractive targets
NAS devices are often targeted by attackers who want to steal sensitive documents or deploy info-stealing malware since they are commonly used for backing up and sharing sensitive files.
QNAP alerted customers in September 2020 of an AgeLocker ransomware campaign targeting Internet exposed NAS devices in attacks exploiting older and vulnerable Photo Station versions.
Previously, it also warned of eCh0raix ransomware attacks targeting another series of Photo Station app security flaws starting with June 2020.
Qihoo 360’s 360 Netlab also said in August that attackers were scanning for vulnerable NAS devices trying to exploit a remote code execution (RCE) firmware vulnerability fixed over three years ago, in July 2017.
Is your business effected by Cyber Crime?
If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.
Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/
UK +44 20 8089 9944