Home > QNAP Systems, Inc. > QNAP-Security-Advisory---Bulletin-ID--NAS-201412-24

QNAP Security Advisory | Bulletin ID: NAS-201412-24

by QNAP Systems, Inc. on Dec 25, 2014

QNAP Security Advisory | Bulletin ID: NAS-201412-24

Taipei, Taiwan, December 25, 2014 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Security Alert for Misfortune Cookie Vulnerability on Residential Gateways

Release date: December 24, 2014
Last updated: December 24, 2014
Bulletin ID: NAS-201412-24
Severity rating: Critical
CVE number: CVE-2014-9222

Affected products: All Turbo NAS series that are connected to residential gateway devices (e.g. routers) using vulnerable versions of the Allegro RomPager embedded web server

Summary

The Misfortune Cookie vulnerability can be exploited to allow remote attackers to remotely take over a residential gateway and may execute arbitrary code on the device. Other devices that are connected to the gateway have an increased risk of compromise. Thus, the attacker can easily steal your credentials and personal or business data or attempt to infect your machines with malware.

For more information about the Misfortune Cookie vulnerability, visit the Check Point website at http://www.checkpoint.com/blog/fortune-cookie-hole-internet-gateway/.

Solution

Check for firmware updates addressing this issue from your device vendor and apply the updates immediately. If there are no such updates, contact your device vendor to see if your device is vulnerable.
There are some methods to mitigate this issue:

Disable services that listen for HTTP or HTTPS connections on the device's WAN side.
Technical users may consider flashing alternative firmware to their devices. However, you only apply this at your own risk and note that this action may invalidate device warranties.

For more details on the mitigation methods, visit the CERT organization website: http://www.kb.cert.org/vuls/id/561444

To make your Turbo NAS more secure, please do the following:

Update your Turbo NAS to the latest firmware version or install Qfix for Bash security patch (Qfix 1.0.2 build 1008) for QTS firmware prior to 2014/10/03 (QTS 4.1.1 Build 1003).
Change the default password for the admin account.
Protect shared folders on your NAS with privileged access rights (non-guest rights).
Force your Turbo to use only HTTPs connection for secure communication. To do so, Login to your Turbo NAS as the admin, go to "Control Panel"> "System Settings">"General Settings"> and choose the "System Administration" tab. Check the "Enable secure connection (HTTPS)" option and enter the port number, and then check the "Force secure connection (HTTPS) only" option. Click "Apply" to apply the changes.

Share this:

Votes: 0

Comments: 9
Comment Now

Share|

Add Comment / Vote

Please login or join to add your comment / vote.

Comments

However, when it comes to choosing a modern access credential solution, there are two main options to choose from: access cards and access key fobs. key fob access control key fob access control

Posted by eemanman@yandex.com Jan 15, 2019

Promptly the internet site could possibly irrefutably receive credited extremely connected with placing people, to its diligent articles and reviews or maybe vital opinions. Our Site

Posted by uzairawan9987654@gmail.com Apr 08, 2019

Toronto Limo Rentals offer extravagant party bus experience coupled with seamless booking options, online payment methods, dedicated customer support, and qualified event managers. Toronto Party Bus

Posted by uzairawan9987654@gmail.com Mar 26, 2019

Our limousine and party bus rentals are available to suit any event like bachelor parties, wedding celebrations, birthday parties, corporate meetings, proms, Niagara Falls visits or any other community event. Niagara Falls Limo

Posted by uzairawan9987654@gmail.com Mar 26, 2019

Its in the same way an excellent write-up that i unquestionably appreciated studying. It's actually not essentially day-to-day that i grow a chance to uncover nearly anything. Click Here

Posted by uzairawan9987654@gmail.com Apr 03, 2019

Its in the same way an excellent write-up that i unquestionably appreciated studying. It's actually not essentially day-to-day that i grow a chance to uncover nearly anything. Tax Accountants Brighton

Posted by uzairawan9987654@gmail.com Mar 20, 2019

wow this saintly however ,I love your enter plus nice pics might be part personss negative love being defrent mind total poeple.... granite countertops installation nj

Posted by robina@tempmail.de Apr 22, 2019

Features encrypted access, IP blocking, hard drive encryption and Antivirus to create a more secure network. Security has always been a focus in the IT environment. As NAS is designed to provide daily data access to many users, protecting important contents in the NAS is crucial. Outfit for Birthday Party for Men What to Wear with Leather Jacket for Men

Posted by elegancelink6@gmail.com Sep 03, 2022

NAS-201412-24 An issue has been identified that is related to the NVRAM_Boot_Loader vulnerability. The vulnerability could cause a system crash, resulting in data loss. This vulnerability has been among us assigned the CVE identifier CVE-2014-6270. It is recommended that all NAS devices with framed game an affected model number be upgraded as soon as possible.

Posted by otis5842@gmail.com Aug 04, 2022