guest user running avahi.deamon !?!?!?!?

[poulTS431]

I've been digging around with an issue of a python script continuously calling samba-tool domain passwordsettings set bla bla bla ....... Support wanted remote access, which I didn't foresee when setting up the NAS, consequently I've not created a separate volume for data I want to maintain in complete control of.

So to my stumbling surprise I found:

9300 guest 832 S /usr/sbin/dbus-daemon --system
12353 guest904 S avahi-daemon: running ["domain".local]

The NAS is behind a firewall so someone from the outside would have to penetrate that unless there is a Trojan inside.....

Any suggestions on what's going on here would be much appreciated

Thank you.

[bugmenot4]

QNAP is a giant security hole in everyone's network.

This is not a bare statement. Please read to the end...

1. SSH to your NAS and locate the "Guest Tool".ISO file located in /share/CACHEDEV1_DATA/.qpkg/QKVM
This is actually UltraVNC dated 2015. If you unpack it you will find Windows executable of UltraVNC installer.
Go ahead and install it. It sets itself as VNC server and installs 5 drivers named "RedHat Drivers". I can guess
one for each input device on your PC (keyboard, Mice, WebCam, Microphone and your Monitor). The installer
of course is not signed and Windows UAC pops-up a warning. If you look at their web site, this thing is capable
to punch a hole in your firewall with a single click on a 166k executable file, so you
start sharing your screen and your keyboard buffer before you even know it. http://www.uvnc.com/products/uvnc-sc.html

But wait! there is more...

2. The home page of this Guest Tool (UltraVNC) fails miserable on security tests:
here: https://www.ssllabs.com/ssltest/analyze ... w.uvnc.com
and here: https://securityheaders.com/?q=www.uvnc ... directs=on

3. There a nice article (recent actually) published March 30, 2019 describing 22 security vulnerabilities.
Highly recommended: https://infosec-handbook.eu/blog/uvnc-vulnerabilities/

This is not a joke!
QNAP actually things that Guest Tool is a valuable feature in their marketing campaign:
https://www.qnap.com/en/how-to/search/Guest%20Tool
https://www.qnap.com/en/how-to/search/VNC


I would like to hear what QNAP has to say about this.

Happy Qnapping everyone.

Cheers,

[dolbyman]

not sure what the guest tools issue is here..if the vnc is outdated..dont install it in your vm ..just install the drivers

and if you need qnaps response..you would need to ask them

[bugmenot4]

not sure what the guest tools issue is here..if the vnc is outdated..dont install it in your vm ..just install the drivers

VNC is installed by Virtualization station, and can not be removed, not can it be disabled (see the screenshots)
Virtualization Station users have unrestricted access to console by default...
The Virtio-serial is enabled by default...

But more important is that QNAP's security depends on VNC which suppose to provide security solution, while it has been demonstrated that VNC is not able to provide its own security!
This simple tells me that QNAP does not understand the concept of trust.

but did you actually read my previous post?
UltraVNC – a security nightmare, and the opening paragraph in this link outlines the exact problem that QNAS has: https://infosec-handbook.eu/blog/uvnc-v ... ities/#sbh
The article is about VNC, which is a third party vendor on whom QNAP is heavily reliant.

and if you need qnaps response..you would need to ask them

Suppose I reach out to support. What technology does QNAP tech support uses to remote connect to my NAS? VNC?

[dolbyman]

esxi also has this webclient running by default (see guest os even from bootup)

so you are saying that the vm vnc ports are open to anyone in the network or just local connections?

and I have never requested support from qnap .. so no idea how the remote support works

[dolbyman]

well I just tested it .. and you are correct
The VNC is not installed on the guest, but is running on the host machine providing access to the guest

access is not limited to localhost connections and no password is net by default

as I don't have any important VM's running (just Win10 eval) and no foreigners in my network, I am not too worried, but it is still something that should be fixed (at least limit VNC access to localhost only)

QEMU wiki entry about it
https://wiki.archlinux.org/index.php/QEMU#VNC

[emanresu]

if you don't open ports and disable upnp, will the security be better?

[Don]

if you don't open ports and disable upnp, will the security be better?

The threat vectors will be less and the ability to exploit existing vulnerabilities from outside is eliminated.