QNAP NAS Community Forum

Hi,
you Informations are not correct.
[What is affected]
FW 3.8.2+ installed the Survillance Station Pro.

Greetings

When will a Viostor Fix released? At the moment every Viostor System is attackable?

Greetings

Not a good job qnap did when reading this article:

http://www.h-online.com/security/news/i ... 83263.html

How nice. More reasons to love QNAP.

QNAPJason wrote:Security Advisory

[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143

Jason - what about CVE-2013-0141 as mentioned in the H security post?

@ Jason the CVE-2013-0141 only affects Viostor Systems. The only way to fix that problem is using one time tokens in request. But at the moment i think qnap is only working at the QNAP NAS not the QNAP Viostor. This is sad

Hi Envalon,
For NAS Surveillance Station Pro v3, we will remove both guest account & create_user.cgi (although the create_user.cgi is no use for NAS. This CGI is created after installing Surveillance Station).
Our NVR team is also working on the Viostor fix. Please wait for some more time.

Jason

QNAPJason wrote:Security Advisory

[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143

[How to fix]
Please go to App Center and upgrade Surveillance Station Pro to v3.0.1 or higher for the security fix (CWE-77).
The upcoming v3.0.2 will disable guest login completely. Please wait for 1 more day.

SSPro3.0.1.jpg

Is that means I must upgrade to QTS 4.0??

------------------------------------
Current Mode: 469L
OS 3.8.2

Good question. Is the Survillnace Station Pro 3.0.1 only for 4.0?

Can someone with a FW 3.x.x say that he can update the Survillance Stion Pro to the 3.0.1 Version?

can someone answer the question?

SS 3.* is only running on FW 4.*

Thats is the problem for many SS user like me.
Wait and let the qnap team do their work.

Wait???
They had two and a half weaks to work on a FIX. They released a first update (never went live) and said it fixes the problem. Than i tested and no it was still vulnerable. Now they told again they fixed the problem and will infrom customers. But this "fix" is not a real fix. Also there is no information about the Viosotor Systems. There a company viostor system reachable from the internet you can access and view cams, play records ....... On the other way there are a lot of NAS systems attackable from the internet witch TB of data. This server will probably now be attacked by hackers because the hack is so easy. Not everyone can upgrade to the FW 4.0 this evern can leads to a data loss. So sorry but qnap did a realy bad job. And its not over !

To fix the issues on VioStor NVR system, please visit http://forum.qnapsecurity.com/viewtopic ... 0&t=183680 to download the latest NVR firmware.

@andreyu how did you fix the problem?
After a short look into the fw the pingping.cgi is still there. Is the input now sanitized? Is the guest account removed?
Would be nic eif you can update the demo system on your homepage

Greetings