Page 1 of 1

Security Fix for Surveillance Station Pro v3.0 & v2.0~2.5

Posted: Fri Jun 07, 2013 12:28 am
by QNAPJason
Dear customers,
We're aware of the potential security issues caused by the installation of Surveillance Station Pro on QNAP Turbo NAS. The solutions have been provided and available from App/QPKG Center.

Overview:
Regarding the reported vulnerabilities on the QNAP Turbo NAS with Surveillance Station Pro App/QPKG installed, QNAP suggests that the Turbo NAS users immediately update the Surveillance Station Pro app to the newest version for fixing these issues.

Release Date:
June 10, 2013

Applied Devices:
1. QNAP Turbo NAS with system firmware 3.8 and Surveillance Station Pro v2.0 - 2.5 installed.
2. QNAP Turbo NAS with system firmware 4.0 and Surveillance Station Pro v3.0.0 installed.
Note: These vulnerabilities do not exist if you have not installed Surveillance Station Pro on Turbo NAS. No fix is required in this case. Moreover, the newest Surveillance Station Pro on the App Center already solved these issues.

Vulnerabilities:
 CWE-284: Improper Access Control CVE-2013-0142
 CWE-77: Improper Neutralization of Special Elements used in a Command
CVE-2013-0143
 CWE-352: Cross-Site Request Forgery (CSRF). CVE-2013-0144
For detailed information, please visit: http://www.kb.cert.org/vuls/id/927644

Solutions:
 QNAP Turbo NAS with system firmware 4.0 and Surveillance Station Pro v3.0.0 installed:
Please go to App Center and upgrade Surveillance Station Pro to v3.0.2 or higher for the security fixes.
Direct download: http://download.qnap.com/QPKG/Surveilla ... .2_x86.zip http://download.qnap.com/QPKG/Surveilla ... rm-x19.zip
 QNAP Turbo NAS with system firmware 3.8 and Surveillance Station Pro v2.0 - 2.5 installed:

Please go to QPKG Center and upgrade Surveillance Station Pro to v2.6 or higher for the security fixes.
Direct download: http://download.qnap.com/QPKG/Surveilla ... .6_x86.zip http://download.qnap.com/QPKG/Surveilla ... rm-x19.zip
Other Information:
1. For any further inquiries, please contact us by email: sspro@qnap.com
2. For VioStor NVR vulnerabilities, please visit VioStor forum to get the hot-fix firmware. (http://forum.qnapsecurity.com/viewtopic ... 0&t=183680)