Infosec boffins say they were forced to go public after QNAP failed to fix various vulnerabilities that were reported to it months ago.
Researchers at watchTowr said on Friday that they drilled into QNAP’s QTS, QuTSCLoud, and QTS hero operating systems and found 15 vulnerabilities, with only four of the holes receiving patches.
Six of the remaining 11 bugs were accepted and validated by QNAP, and all have CVEs assigned to them, but despite most being reported in early January, and one as far back as December 2023, the vendor still hasn’t released patches.
The other five are either still under embargo, per the cybersecurity industry’s standard 90-day disclosure window, or have no fix available, in which case users should retire their devices.
It’s standard practice to allow a vendor 90 days to fix and disclose a vulnerability reported to it by a researcher. It allows time to assess the threat, develop a fix, devise a strategy for rolling out patches, and decide when and how to disclose it publicly.
Especially generous researchers, or those reporting particularly confounding bugs that aren’t so easily fixed, will sometimes extend this 90-day window to ensure the vulnerability is patched properly, even if it means letting it go unfixed for a longer period.
According to watchTowr, the majority of the bugs it outlined were reported to QNAP in January, implying going public on May 17 would mean the researchers offered the vendor a much larger window in which to issue patches.
“Here at watchTowr, we abide by an industry-standard 90-day period for vendors to respond to issues, as specified in our VDP,” said watchTowr. “We are usually generous in granting extensions to this in unusual circumstances, and indeed, QNAP has received multiple extensions in order to allow remediation.
“In cases where there is a clear ‘blocker’ to remediation – as was the case with WT-2023-0050, for example – we have extended this embargo even further to allow enough time for the vendor to analyze the problem, issue remediation, and for end-users to apply these remediations.
“However, there must always be some point at which it is in the interest of the internet community to disclose issues publicly.”
As Juniper Networks will be aware, watchTowr has no qualms in calling out vendors that ignore the 90-day disclosure window.
Despite the apparent inability of the vendor to issue patches on time, the researchers said QNAP was highly cooperative throughout the disclosure process. The vendor offered watchTowr’s team remote access to its testing environment to allow for more comprehensive vulnerability reporting.
The researchers said it was “something unexpected that left us with the impression they place the security of their users at a very high priority.” The patching speed was an issue, however.
Full details of all 15 vulnerabilities watchTowr reported can be found here.
The Register contacted Taiwan-based QNAP to understand more about the absent patches, and to ask if it wished to refute anything from watchTowr’s report, but it didn’t immediately respond.
NASty issues
QNAP’s security practices have been called into question numerous times in recent years. The highest profile cases have arguably involved ransomware, with various strains taking shots at the vendor’s devices over the years.
In 2021, it was Qlocker and eCh0raix that exploited critical vulnerabilities the vendor patched just weeks prior. After successful infections, Qlocker demanded 0.01 Bitcoin as a ransom payment – a little more than $500 at the time’s exchange rate.
The following year saw another ransomware event at the hands of DeadBolt. The criminals behind the operation launched at least four different waves of ransomware attacks against QNAP NAS devices, updating code along the way for stronger and faster encryption.
The situation became so bad that the vendor took the controversial measure of force-updating devices that users hadn’t patched. Many NAS owners at the time didn’t respond positively, since the updates could have led to important data loss.
As recently as February QNAP was also accused of bungling the severity assessment of a vulnerability that both researchers and national security agencies agreed required urgent patching. QNAP assigned CVE-2023-50358 a mere 5.8 severity rating out of a possible 10.
Don’t (Q)nap on the latest bugs
Researchers at watchTowr were especially keen to highlight CVE-2024-27130, a stack overflow vulnerability requiring no authentication that can lead to remote code execution (RCE) providing a valid NAS user shared a malicious file.
More concerning is that it’s one of the six vulnerabilities accepted and validated by QNAP – it agrees the vulnerability is legit and should be fixed – but hasn’t recieved a patch. Researchers first reported the bug on January 3.
It’s generally considered bad practice for anyone to release proof of concept (PoC) exploit code for vulnerabilities that haven’t been patched, but watchTowr has done so via GitHub, perhaps to hurry QNAP along.
The researchers said they empathize with QNAP, which manages a codebase heavily composed of ten-year-old code, and how the vendor is “working hard to squeeze all the bugs out of it.” However, given its prior history of suffering damaging attacks, patches should probably be developed at a faster rate. ®