QNAP’s NAS devices affected by a new critical security issue, patches are available

A scorching potato: QNAP is as soon as once more warning customers a few safety vulnerability impacting its network-attached storage (NAS) units. The crucial flaw may make distant assaults simpler, therefore homeowners are strongly advisable to put in the newest firmware updates.

Taiwanese firm QNAP lately disclosed a brand new safety vulnerability within the working system of its NAS devices, a harmful flaw labeled with a “crucial” severity stage, which may spell doom for remotely-accessible person information. Patches are already accessible, whereas customers ought to at all times set up the newest updates to maintain their NAS storage items protected from cyber-criminals and ransomware gangs.

Based on QNAP’s official security bulletin, the flaw labeled as CVE-2022-27596 impacts QTS 5.0.1 and QuTS hero h5.0.1 NAS working techniques. If exploited, QNAP warns, the SQL injection vulnerability may permit distant attackers to inject malicious code. Potential assaults do not require authentication, so QNAP assigned the bug a CVSS rating of 9.8 out of 10.

The corporate has already mounted the vulnerability, releasing the next updates for its NAS working techniques:

• QTS 5.0.1.2234 construct 20221201 and later
• QuTS hero h5.0.1.2248 construct 20221215 and later

Customers are urged to put in the updates by going by QTS/QuTS management panel whereas logged as directors, or by downloading the replace instantly from QNAP web site’s obtain heart. The Product Support Status web page can be accessible to test for the newest updates accessible for each NAS mannequin supported by the corporate.

Safety firm Censys identified 67,415 on-line hosts operating a QNAP-based system, whereas acquiring the OS model quantity for simply 30,520 of them; over 98% of the recognized QNAP units have been susceptible to the CVE-2022-27596 flaw. Only a few units have been patched, with solely 557 operating QuTS Hero h5.0.1.2248 or later and QTS 5.0.1.2234 or later.

Censys stated that 29,968 hosts are nonetheless affected by the vulnerability, with lots of them residing in the US and Italy. There isn’t a printed exploit or proof-of-concept but, however every time the code is launched within the open the info of 1000’s of QNAP customers might be in excessive hazard.

It is “very doubtless” that CVE-2022-27596 may deliver one more profitable ransomware campaign towards person information saved on NAS units reachable through web. Censys stated that the Deadbolt ransomware is already geared to focus on QNAP NAS units particularly, so the cyber-criminals may use a future exploit or PoC to unfold the identical ransomware once more.