Taipei, Taiwan, January 16, 2018 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Advisory for Meltdown and Spectre Vulnerabilities
Release date: 2018/1/8
Security ID: NAS-201801-08
Severity rating: High
CVE identifier: CVE-2017-5715 | CVE-2017-5753 | CVE-2017-5754
Affected products: Several QNAP NAS models (The list will be updated after our ongoing investigation.)
Summary
Two major security flaws—Meltdown and Spectre—were found in a number of widely-used processors. Meltdown (CVE-2017-5754) affects Intel and ARM processors, while Spectre (CVE-2017-5715, CVE-2017-5753) affects several processors from Intel, ARM, and AMD. If exploited, these vulnerabilities may allow remote attackers to access sensitive data.
We have identified a number of affected QNAP NAS models. You can find the comprehensive list below. We are currently working on software updates to fix these vulnerabilities.
We will continue updating this advisory with the latest information.
Affected NAS models
Enterprise NAS |
8-bay: |
TS-879 Pro
TS-879U-RP
TS-EC879U-RP |
TS-EC880 Pro
TS-EC880U R2 |
TS-EC880U-RP
TVS-EC880 |
10-bay: |
TS-1079 Pro
TS-EC1080 Pro |
TVS-EC1080 |
TVS-EC1080+ |
12-bay: |
SS-EC1279U-SAS-RP
TS-1279U-RP
TS-EC1279U-RP |
TS-EC1279U-SAS-RP
TS-EC1280U R2
TS-EC1280U-RP |
TVS-EC1280U-SAS-RP
TVS-EC1280U-SAS-RP R2 |
15-bay: |
TVS-EC1580MU-SAS-RP |
TVS-EC1580MU-SAS-RP R2 |
|
16-bay: |
ES1640dc
ES1640dc v2
TDS-16489U
TS-1679U-RP |
TS-1685
TS-EC1679U-SAS-RP
TS-EC1679U-RP
TS-EC1680U R2 |
TS-EC1680U-RP
TVS-EC1680U-SAS-RP
TVS-EC1680U-SAS-RP R2 |
18-bay: |
TES-1885U |
|
|
24-bay: |
TS-EC2480U R2 |
TVS-EC2480U-SAS-RP |
TVS-EC2480U-SAS-RP R2 |
TS-EC2480U-RP |
|
|
30-bay: |
TES-3085U |
|
|
SMB NAS |
1-bay: |
|
|
TS-131 |
|
|
2-bay: |
|
|
TS-231
TS-239 Pro
TS-239 Pro II
TS-239 Pro II+
TS-239H |
TS-253 Pro
TS-253A
TS-253B
TS-259 Pro |
TS-259 Pro+
TS-269 Pro
TS-269H
TS-269L |
4-bay: |
|
|
IS-400 Pro
IS-453S
SS-439 Pro
TBS-453A
TS-431
TS-431U
TS-431X
TS-431X2
TS-431XeU
TS-431XU
TS-431XU-RP
TS-439 Pro
TS-439 Pro II
TS-439 Pro II+
TS-439U-RP/ SP
TS-451
TS-451S |
TS-451U
TS-453 mini
TS-453 Pro
TS-453A
TS-453B
TS-453B mini
TS-453BT3
TS-453BU
TS-453BU-RP
TS-453S Pro
TS-453U
TS-453U-RP
TS-459 Pro
TS-459 Pro II
TS-459 Pro+
TS-459U-RP/SP
TS-459U-RP+SP+ |
TS-463U
TS-463U-RP
TS-469 Pro
TS-469L
TS-469U-RP
TS-469U-SP
TS-470
TS-470 Pro
TS-470U-SP
TS-470U-RP
TVS-463
TVS-470
TVS-471
TVS-471U
TVS-471U-RP
TVS-473
TVS-473e |
5-bay: |
TS-531P
TS-531X
TS-559 Pro |
TS-559 Pro II
TS-559 Pro+
TS-563 |
TS-569 Pro
TS-569L |
6-bay: |
TS-639 Pro
TS-651
TS-653 Pro
TS-653A
TS-653B
TS-659 Pro
TS-659 Pro II |
TS-659 Pro+
TS-669 Pro
TS-669L
TS-670
TS-670 Pro
TS-677
TVS-663 |
TVS-670
TVS-671
TVS-673
TVS-673e
TVS-682
TVS-682T |
8-bay: |
SS-839 Pro
TS-809 Pro
TS-809U-RP
TS-831X
TS-831XU
TS-831XU-RP
TS-851
TS-853 Pro
TS-853A
TS-853BU
TS-853BU-RP
TS-853S Pro
TS-853U
TS-853U-RP
TS-859 Pro |
TS-859 Pro+
TS-859U-RP
TS-859U-RP+
TS-863U
TS-863U-RP
TS-869 Pro
TS-869L
TS-869U-RP
TS-870
TS-870 Pro
TS-870U-RP
TS-873U
TS-873U-RP
TS-877
TVS-863 |
TVS-863+
TVS-870
TVS-871
TVS-871T
TVS-871U-RP
TVS-873
TVS-873e
TVS-882
TVS-882BR
TVS-882BRT3
TVS-882S
TVS-882ST2
TVS-882ST3
TVS-882T |
12-bay: |
TS-1231XU
TS-1231XU-RP
TS-1253BU
TS-1253BU-RP
TS-1253U
TS-1253U-RP |
TS-1263U
TS-1263U-RP
TS-1269U-RP
TS-1270U-RP
TVS-1271U-RP
TS-1273U |
TS-1273U-RP
TS-1277
TVS-1282
TVS-1282T
TVS-1282T3 |
15-bay: |
TVS-1582TU |
|
|
16-bay: |
|
|
TS-1635 |
TS-1673U |
TS-1673U-RP |
18-bay: |
SS-EC1879U-SAS-RP |
|
|
24-bay: |
SS-EC2479U-SAS-RP |
|
|
|
|
|
Home & SOHO NAS |
1-bay: |
|
|
TS-131P |
|
|
2-bay: |
|
|
TS-231+
TS-231P
TS-231P2 |
TS-251
TS-251+
HS-251 |
TS-251A
TS-251C
HS-251+ |
4-bay: |
|
|
TS-431+
TS-431P |
TS-431P2
TS-451+ |
TS-451A |
Recommendations:
Since attackers may attempt to compromise QNAP devices using malicious code and applications, QNAP recommends the following precautions:
- Do not install applications from unknown third-party sources.
- Do not open or run unknown virtual machine (VM) images on your device.
- Do not run unknown software in Container Station.
Revision History:
- V1.2 (January 16, 2018) - Updated the list of affected products
- V1.1 (January 11, 2018) - Updated with the initial list of affected products and recommendations
- V1.0 (January 8, 2018) - Published
If you have any questions regarding this issue, please contact us at
http://helpdesk.qnap.com/.