Taipei, Taiwan, December 25, 2014 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Alert for Misfortune Cookie Vulnerability on Residential Gateways
Release date: December 24, 2014
Last updated: December 24, 2014
Bulletin ID: NAS-201412-24
Severity rating: Critical
CVE number: CVE-2014-9222
Affected products: All Turbo NAS series that are connected to residential gateway devices (e.g. routers) using vulnerable versions of the Allegro RomPager embedded web server
Summary
The Misfortune Cookie vulnerability can be exploited to allow remote attackers to remotely take over a residential gateway and may execute arbitrary code on the device. Other devices that are connected to the gateway have an increased risk of compromise. Thus, the attacker can easily steal your credentials and personal or business data or attempt to infect your machines with malware.
For more information about the Misfortune Cookie vulnerability, visit the Check Point website at http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/.
Solution
Check for firmware updates addressing this issue from your device vendor and apply the updates immediately. If there are no such updates, contact your device vendor to see if your device is vulnerable.
There are some methods to mitigate this issue:
- Disable services that listen for HTTP or HTTPS connections on the device's WAN side.
- Technical users may consider flashing alternative firmware to their devices. However, you only apply this at your own risk and note that this action may invalidate device warranties.
For more details on the mitigation methods, visit the CERT organization website: http://www.kb.cert.org/vuls/id/561444
To make your Turbo NAS more secure, please do the following:
- Update your Turbo NAS to the latest firmware version or install Qfix for Bash security patch (Qfix 1.0.2 build 1008) for QTS firmware prior to 2014/10/03 (QTS 4.1.1 Build 1003).
- Change the default password for the admin account.
- Protect shared folders on your NAS with privileged access rights (non-guest rights).
- Force your Turbo to use only HTTPs connection for secure communication. To do so, Login to your Turbo NAS as the admin, go to "Control Panel"> "System Settings">"General Settings"> and choose the "System Administration" tab. Check the "Enable secure connection (HTTPS)" option and enter the port number, and then check the "Force secure connection (HTTPS) only" option. Click "Apply" to apply the changes.