We're aware of the potential security issues caused by the installation of Surveillance Station Pro on QNAP Turbo NAS. The solutions have been provided and available from App/QPKG Center.
Regarding the reported vulnerabilities on the QNAP Turbo NAS with Surveillance Station Pro App/QPKG installed, QNAP suggests that the Turbo NAS users immediately update the Surveillance Station Pro app to the newest version for fixing these issues.
June 10, 2013
1. QNAP Turbo NAS with system firmware 3.8 and Surveillance Station Pro v2.0 - 2.5 installed.
2. QNAP Turbo NAS with system firmware 4.0 and Surveillance Station Pro v3.0.0 installed.
Note: These vulnerabilities do not exist if you have not installed Surveillance Station Pro on Turbo NAS. No fix is required in this case. Moreover, the newest Surveillance Station Pro on the App Center already solved these issues.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command
CWE-352: Cross-Site Request Forgery (CSRF). CVE-2013-0144
For detailed information, please visit: http://www.kb.cert.org/vuls/id/927644
QNAP Turbo NAS with system firmware 4.0 and Surveillance Station Pro v3.0.0 installed:
Please go to App Center and upgrade Surveillance Station Pro to v3.0.2 or higher for the security fixes.
Direct download: http://download.qnap.com/QPKG/Surveilla ... .2_x86.zip http://download.qnap.com/QPKG/Surveilla ... rm-x19.zip
QNAP Turbo NAS with system firmware 3.8 and Surveillance Station Pro v2.0 - 2.5 installed:
Please go to QPKG Center and upgrade Surveillance Station Pro to v2.6 or higher for the security fixes.
Direct download: http://download.qnap.com/QPKG/Surveilla ... .6_x86.zip http://download.qnap.com/QPKG/Surveilla ... rm-x19.zip
1. For any further inquiries, please contact us by email: firstname.lastname@example.org
2. For VioStor NVR vulnerabilities, please visit VioStor forum to get the hot-fix firmware. (http://forum.qnapsecurity.com/viewtopic ... 0&t=183680)