Page 1 of 1

Security Fix for Surveillance Station Pro v3.0 & v2.0~2.5

Posted: Fri Jun 07, 2013 5:22 am
by Envalon
Hi,
you Informations are not correct.
[What is affected]
FW 3.8.2+ installed the Survillance Station Pro.

Greetings

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 5:25 am
by Envalon
When will a Viostor Fix released? At the moment every Viostor System is attackable?

Greetings

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 5:35 am
by johnripper
Not a good job qnap did when reading this article:

http://www.h-online.com/security/news/i ... 83263.html

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 6:47 am
by luddy
How nice. More reasons to love QNAP.

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 7:12 am
by Toxic17
QNAPJason wrote:Security Advisory

[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143


Jason - what about CVE-2013-0141 as mentioned in the H security post?

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 1:56 pm
by Envalon
@ Jason the CVE-2013-0141 only affects Viostor Systems. The only way to fix that problem is using one time tokens in request. But at the moment i think qnap is only working at the QNAP NAS not the QNAP Viostor. This is sad :(

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 2:09 pm
by QNAPJason
Hi Envalon,
For NAS Surveillance Station Pro v3, we will remove both guest account & create_user.cgi (although the create_user.cgi is no use for NAS. This CGI is created after installing Surveillance Station).
Our NVR team is also working on the Viostor fix. Please wait for some more time.

Jason

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 2:31 pm
by micmicmic
QNAPJason wrote:Security Advisory

[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143

[How to fix]
Please go to App Center and upgrade Surveillance Station Pro to v3.0.1 or higher for the security fix (CWE-77).
The upcoming v3.0.2 will disable guest login completely. Please wait for 1 more day.
SSPro3.0.1.jpg


Is that means I must upgrade to QTS 4.0??

------------------------------------
Current Mode: 469L
OS 3.8.2

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Fri Jun 07, 2013 3:15 pm
by Envalon
Good question. Is the Survillnace Station Pro 3.0.1 only for 4.0?

Can someone with a FW 3.x.x say that he can update the Survillance Stion Pro to the 3.0.1 Version?

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Sat Jun 08, 2013 7:02 am
by Envalon
can someone answer the question?

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Sat Jun 08, 2013 2:55 pm
by bugmenot3
SS 3.* is only running on FW 4.*

Thats is the problem for many SS user like me.
Wait and let the qnap team do their work.

Re: Security Fix for Surveillance Station Pro v3.0

Posted: Sat Jun 08, 2013 4:51 pm
by Envalon
Wait???
They had two and a half weaks to work on a FIX. They released a first update (never went live) and said it fixes the problem. Than i tested and no it was still vulnerable. Now they told again they fixed the problem and will infrom customers. But this "fix" is not a real fix. Also there is no information about the Viosotor Systems. There a company viostor system reachable from the internet you can access and view cams, play records ....... On the other way there are a lot of NAS systems attackable from the internet witch TB of data. This server will probably now be attacked by hackers because the hack is so easy. Not everyone can upgrade to the FW 4.0 this evern can leads to a data loss. So sorry but qnap did a realy bad job. And its not over !

Re: Security Fix for Surveillance Station Pro v3.0 & v2.x

Posted: Sun Jun 09, 2013 3:07 pm
by andrewyu
To fix the issues on VioStor NVR system, please visit http://forum.qnapsecurity.com/viewtopic ... 0&t=183680 to download the latest NVR firmware.

Re: Security Fix for Surveillance Station Pro v3.0 & v2.x

Posted: Sun Jun 09, 2013 7:12 pm
by Envalon
@andreyu how did you fix the problem?
After a short look into the fw the pingping.cgi is still there. Is the input now sanitized? Is the guest account removed?
Would be nic eif you can update the demo system on your homepage :)

Greetings