[SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
OneCD
Ask me anything
Posts: 9051
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by OneCD » Fri May 14, 2021 5:00 am

dolbyman wrote:
Fri May 14, 2021 4:56 am
But I guess you only fetch customers with shiny features and buzzwords like "public cloud"
I wonder how many customers who bought a QNAP in the last couple of years would be willing to buy another - given they've now seen what owning and running a QNAP actually involves? :lol:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

User avatar
dolbyman
Guru
Posts: 23139
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by dolbyman » Fri May 14, 2021 5:43 am

They could release QlTS (Qnap lite Turbo Station)

Just baseline file sharing services, no bells no whistles (but done right) .. they could even sell the 'lite' version with a license :lol: :shock:

User avatar
OneCD
Ask me anything
Posts: 9051
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by OneCD » Fri May 14, 2021 5:48 am

dolbyman wrote:
Fri May 14, 2021 5:43 am
They could release QlTS (Qnap lite Turbo Station)

Just baseline file sharing services, no bells no whistles (but done right) .. they could even sell the 'lite' version with a license :lol: :shock:
That’s a great idea @dm. Makes a lot of sense. So, there’s no-chance it will be adopted by QNAP. :(

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage

syncthing
Know my way around
Posts: 122
Joined: Mon Aug 13, 2018 4:58 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by syncthing » Fri May 14, 2021 9:08 pm

BTW do you have malware remover installed or not?

xavierh
Experience counts
Posts: 1113
Joined: Wed Jan 30, 2008 6:15 am
Location: Denton, Texas

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by xavierh » Fri May 14, 2021 11:54 pm

Being a QNAP user since the TS-209 days, I have seen the changes that done by QNAP through the years... some of them good and some of them bad. QNAP has always been in my opinion good with their hardware but always "behind" when it comes to software functionality. and the recent security issues are becoming more and more evident that the software continues to lag behind, compared to synology for example.

i do agree with the idea of qnap providing a lighter os installation with just basic functions and everything else is provided either by QPKGs or if the user is so inclined containers. But they need to actually revamp their security from the ground up and make sure that they are on top of that game.... right now other manufactures honestly do ot need to do marketing... QNAP is doing it for them with all this issues being talked about on the internet.

having said that, i am not changing my qnap setup. i know what i am running on my devices they only run the services / applications that i need and their exposure to the internet is limited to only plex in a docker container, and i monitor my network connections. however, i am on the minority and the average joe doe snot have the knowledge or the time to deal with all this security ** so it is the responsibility of qnap to step up their game on that front.

QNAP TVS-951x QTS 4.5.3.1670 Build 20210515 OS Storage Pool: Samsung 860 EVO 250GB SSD x 4 (RAID 5), Data Storage Pool: WD WD30EFRX (Red) 3TB x 4 (RAID 5), 16GB RAM WD Easystore 10TB External USB 3.0 Services: SMB, Appletalk, QPKG: Container Station, HBS 3
QNAP TS-453A QTS 4.5.3.1670 Build 20210515 Services: SMB, HBS 3
Network: UDM, UDM Beacon, Unifi 8 Port Switch x 3, Flex Mini Switch, In Wall AP

scolumbo
Getting the hang of things
Posts: 60
Joined: Sat Dec 19, 2015 12:05 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by scolumbo » Sat May 15, 2021 12:22 am

I agree, I don't expose my 2 QNAPs to the internet so I feel relatively secure (I also have 3-2-1 backups), but I wouldn't recommend QNAP to anyone.

Even besides the security concerns, their frequently faulty firmware updates and inability to remove Multimedia Console and other bloatware I don't need are reasons that going forward, my next NAS will probably not be a QNAP.

syncthing
Know my way around
Posts: 122
Joined: Mon Aug 13, 2018 4:58 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by syncthing » Sat May 15, 2021 1:06 am

dolbyman wrote:
Fri May 14, 2021 5:43 am
They could release QlTS (Qnap lite Turbo Station)

Just baseline file sharing services, no bells no whistles (but done right) .. they could even sell the 'lite' version with a license :lol: :shock:
I guess they will do the opposite and add more bloatware which is not easy do disable, and comes back after the next reboot if you tried to delete it ...

User avatar
spile
Easy as a breeze
Posts: 403
Joined: Tue May 24, 2016 12:13 am

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by spile » Sat May 15, 2021 2:54 pm

Given the user base...
1. Plug and pray consumers 2. Prosumers 3. Those with developer level skills

I see challenges as well as dilemmas ...

- Products are considered difficult to use for 1.
- The main competitor is considered easier to use by type 1.
- New customers to make the company viable are typically type 1.
- Without type 1. customers a company of this size is unviable.
- Bells and whistles appeal to 1. but are an anathema to 3.

The idea of a bloat free by default UI does appeal as it fulfils the needs of all with the possible exception of “do it all for me” type 1. users.

User avatar
jaysona
Been there, done that
Posts: 682
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona » Sun May 16, 2021 1:46 am

Trexx wrote:
Fri May 14, 2021 4:45 am
I thought you had one of the Ryzen boxes.
Never! I flirted briefly with SoC based NASes, but I'll never use an AMD based system, I require Quicksync for all my capping and encoding.
H/W: Asustor AS6604T (8Gig) / Asustor AS7010T (16Gig)
H/W: TS-219 Pro / TS-509 Pro x2 / TS-569 Pro (being decommissioned)
H/W: TS-670 Pro (i7-3770S 16Gig) / TVS-EC1080 (32Gig) TVS-871 (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.12
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2021.2

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8Gig) / TS-853 Pro (8Gig) / TS-670 Pro (i7-3770S 16Gig)

User avatar
jaysona
Been there, done that
Posts: 682
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona » Sun May 16, 2021 1:54 am

OneCD wrote:
Fri May 14, 2021 4:53 am
Must admit, it gets harder each year to find the motivation to continue supporting QNAP. Their products are only getting worse. :(

It feels a lot like supporting a football team that never wins. Eventually, you're asking yourself "why am I supporting these guys? ¯\_(ツ)_/¯".
The difference with a football team that never wins, is at least they make legitimate efforts, the same can't be said of QNAP.
I'd be a lot happier if QNAP got back-to-basics and made solid and reliable NAS like those their name was originally built-on. :D
Agreed, QNAP back in the day (2007-2009) was just solid. I'd gladly go back to the early days prior to when ajax based version 3 was released. The initial OS was much simpler to use and maintain.
H/W: Asustor AS6604T (8Gig) / Asustor AS7010T (16Gig)
H/W: TS-219 Pro / TS-509 Pro x2 / TS-569 Pro (being decommissioned)
H/W: TS-670 Pro (i7-3770S 16Gig) / TVS-EC1080 (32Gig) TVS-871 (i7-4790S 16Gig)
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.12
Router2: Asus RT-AC68U - DD-WRT v3.0-r39960M kongac
Router3: Linksys WRT1900AC - DD-WRT v3.0-r43028 std
Router4: Asus RT-AC66U - FreshTomato v2021.2

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8Gig) / TS-853 Pro (8Gig) / TS-670 Pro (i7-3770S 16Gig)

timlathen@gmail.com
New here
Posts: 2
Joined: Sun May 23, 2021 1:45 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by timlathen@gmail.com » Sun May 23, 2021 1:49 pm

I need help ClamAv refuses to update on my ts-120 I have no idea what to do next the antivirous wont update.
I have ssh'ed in and tried freshclam but that didn't work ether and clamav doesn't have the CVD's avaliable on the page anymore I'm not sure what to do.

timlathen@gmail.com
New here
Posts: 2
Joined: Sun May 23, 2021 1:45 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by timlathen@gmail.com » Sun May 23, 2021 1:53 pm

when you click on security all you get is malware remover is this the replacement?
the virous scanner was disabled after the update
my cpu is pegged at 100% and nothing is running I am so frustrated I've been at this for hours

User avatar
dolbyman
Guru
Posts: 23139
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by dolbyman » Sun May 23, 2021 9:05 pm

if you have a malware infection, clamav does nothing ..it scans userfiles and not the nas itself

fond out what is hogging the cpu ...

Post Reply

Return to “Users' Corner”