Sicherheitslücke in Echtzeit Aktualisierung
christian
Firmware Aktualisierung.pngWie bereits im Forum berichtet wurde, ist schon über einen sehr langen Zeitraum eine Sicherheitslücke in allen QTS Firmware Versionen bekannt.
Um zumindest vorübergehend dem Problem aus dem Weg zu gehen, empfiehlt QNAP die Echtzeit Aktualisierung vorerst zu deaktivieren!
Auf seiner Security Bulletin Website listet QNAP die Sicherheitslücke nun wie folgt:
Alles anzeigenSecurity Alert for Firmware Update Vulnerabilities
Release date:January 18, 2017
Last updated:January18, 2017
Bulletin ID: NAS-201701-18
Severity rating: Medium
Affected products:
All QNAP NAS running QTS
<div style="border-bottom-style: solid; border-bottom-color: rgb(52, 114, 153); font-variant-numeric: inherit; font-stretch: inherit; line-height: 24px; font-family: "Open Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 18px; vertical-align: baseline; color: rgb(52, 114, 153);">Summary
QNAP is currently addressing several vulnerabilities reported by F-Secure, a cyber security company. Based on the proof-of-concept exploit, successful attacks during the firmware update process may grant attackers administrator access to the NAS. However, these vulnerabilities are not easily exploited if the NAS is connected to a wired environment.
We will update QTS and then release fixes as soon as possible. In the meantime, users can choose to disable the automatic updates to protect their NAS.
Disabling Live Update
- Log on as administrator to the QTS web console.
- Go to "Control Panel" > "Firmware Update" > "Live Update".
- Deselect "Automatically check if a newer version is available when logging into the NAS web administration interface".
- Click "Apply".