QNAP patches critical vulnerability in Surveillance Station NAS app

QNAP has addressed a critical security vulnerability in the Surveillance Station app that allows attackers to execute malicious code remotely on network-attached storage (NAS) devices running the vulnerable software.

Surveillance Station is QNAP's network surveillance Video Management System (VMS), a software solution that can help users manage and monitor up to 12 IP cameras.

It is a Turbo NAS standard application with support for over 3,000 IP camera models, and it can be installed from the company's QTS App Center.

Critical RCE bug fixed in the latest app versions

The critical security flaw patched today by QNAP is a stack-based buffer overflow vulnerability impacting QNAP NAS devices running Surveillance Station.

"If exploited, this vulnerability allows attackers to execute arbitrary code," QNAP explains in a security advisory from today.

When successfully exploiting it for arbitrary code execution, the attackers will also regularly subvert any security service or anti-malware solutions running on the compromised device.

QNAP has already fixed the critical vulnerability in the following software versions:

• Surveillance Station 5.1.5.4.3 (and later) for ARM CPU NAS (64bit OS) and x86 CPU NAS (64bit OS)
• Surveillance Station 5.1.5.3.3 (and later) for ARM CPU NAS (32bit OS) and x86 CPU NAS (32bit OS)

The company has also patched a medium severity cross-site scripting (XSS) vulnerability affecting earlier versions of the Photo Station app used to upload images to QNAP NAS device, create albums, or view them remotely.

"If exploited, this vulnerability allows remote attackers to inject malicious code," according to QNAP. The security bug was addressed in Photo Station 6.0.11 and later.

How to update to the latest versions

Given the vulnerabilities' severity ratings, customers should update both apps to the latest available versions as soon as possible.

To do that, you have to log into your NAS devices as admin and use the App Center to look for app updates.

To update Surveillance Station and Photo Station on your NAS, you need to go through the following steps:

1. Log into QTS as administrator.
2. Open the App Center, and then click . A search box appears.
3. Type "Surveillance Station" and "Photo Station", and then press ENTER. The application appears in the search results.
4. Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version.
5. Click OK. The application is updated.

NAS devices are attractive targets

NAS devices are often targeted by attackers who want to steal sensitive documents or deploy info-stealing malware since they are commonly used for backing up and sharing sensitive files.

QNAP alerted customers in September 2020 of an AgeLocker ransomware campaign targeting Internet exposed NAS devices in attacks exploiting older and vulnerable Photo Station versions.

Previously, it also warned of eCh0raix ransomware attacks targeting another series of Photo Station app security flaws starting with June 2020.

Qihoo 360's 360 Netlab also said in August that attackers were scanning for vulnerable NAS devices trying to exploit a remote code execution (RCE) firmware vulnerability fixed over three years ago, in July 2017.

Comments are closed.