[SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
Cbrad01
Know my way around
Posts: 245
Joined: Fri Jan 15, 2016 9:17 pm

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by Cbrad01 »

jaysona wrote:
Toxic17 wrote: Mon Jan 10, 2022 11:51 pm I'm loving this new page too:

https://www.qnap.com/en-uk/support/con_ ... cation_bar

only visited qnap.com to check something.
Wow! QNAP is really giving The Three Stooges comedy routine a run for their money these days. :lol:

It seems like quality control and release control are not even part of the QNAP programming lexicon anymore. :roll:
I think they are being overwhelmed on all fronts and we are paying the price. Years of sloppy programming when it comes to security has caught up with them and now it’s a scramble of “wack a mole”. At the same time the OS and apps have become so advanced and take so much more to develop and support. A “perfect storm” as it goes.
I wish they would move all of their “core” apps to containers which would give us much more flexibility as users. They need to stop the automatic update crap that they keep trying to force us on. And lastly stop pushing feature out for a bit and focus on the basic core items.


Sent from my iPhone using Tapatalk
User avatar
dolbyman
Guru
Posts: 35019
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by dolbyman »

And people are honestly considering QNAP routers ? .. unless they are build by a completely separate team or OEM, I fear the worst for these things
ROLLINS
Know my way around
Posts: 136
Joined: Tue Oct 14, 2014 10:42 pm

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by ROLLINS »

My Qnaps are on a vpn in the router, only thing i haven't done is set it to allow only certain ip range.That i will do soon.
They are offline for now while i catch up on what's taking place. Which Qnap apps should is disable or uninstall ?
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by P3R »

ROLLINS wrote: Thu Jan 13, 2022 4:09 pm My Qnaps are on a vpn in the router...
What kind of VPN?
Which Qnap apps should is disable or uninstall ?
There is no one size fits all advice. You need to evaluate and think about each app if you want to change things.

Do you understand what the app does? If not, then learn that before doing anything. As an example Container Station is required for some other apps so removing it may break functionality that you need and want.

It's better to disable than to remove. Then you can easily enable things again if disabling it had an unwanted consequence.

Much more important than the things you mention is to disable UPnP and any port forwarding to the Qnap in the router, as explained in the Security Statement in the first post of the thread. Have you done that?
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
dosborne
Experience counts
Posts: 1791
Joined: Tue May 29, 2018 3:02 am
Location: Ottawa, Ontario, Canada

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by dosborne »

P3R wrote: Thu Jan 13, 2022 10:32 pm It's better to disable than to remove. Then you can easily enable things again if disabling it had an unwanted consequence.
I disagree. If you know you don't need an app, disable it, then remove it.

Not only will you free up (Albeit minimal) resources (i.e. space) you also remove a possible intrusion vulnerability. A *smart* hack wouldn't care if *you* enabled or disabled a function, but would access the package or executable directly, or simply enable it.

Just IMO, but better safe than sorry. You can always reinstall an app, particularly a core qnap one. (Or even save a local copy of it first - to another secure location :) )
QNAP TS-563-16G 5x10TB Seagate Ironwolf HDD Raid-5 NIC: 2x1GB 1x10GbE
QNAP TS-231P-US 2x18TB Seagate Exos HDD Raid-1
[Deadbolt and General Ransomware Detection, Prevention, Recovery & MORE]
User avatar
Cbrad01
Know my way around
Posts: 245
Joined: Fri Jan 15, 2016 9:17 pm

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by Cbrad01 »

I alway recommend removing any app you do not use.
Disable any app you only use occasionally.
For applications you use, run them within containers if possible.


Sent from my iPad using Tapatalk
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by P3R »

dosborne wrote: Fri Jan 14, 2022 12:29 pm I disagree. If you know you don't need an app, disable it, then remove it.
Well if you understand exactly what an app does, then you can of course remove it but most users think they know way more than they actually do. When you realize there was a thing that you missed about what an app did it's easier to simply enable it and still have it's previous settings intact.
Not only will you free up (Albeit minimal) resources (i.e. space)...
Yes "minimal" is the key word there. Most users have TB of storage and if those KB or even a MB are critical, then you definitiely should have expanded your storage long ago or have done a cleaning to remove unimportant data. If you after a month or so have confirmed that disabling an app didn't cause any issues for you, then go ahead and remove it, if those kilobytes are so extremely important to you.
...you also remove a possible intrusion vulnerability. A *smart* hack wouldn't care if *you* enabled or disabled a function, but would access the package or executable directly, or simply enable it.
In my world it isn't possible to do any of that until the intrusion have happened and then they don't need the dormant code anyway so please explain how a "hack" would access "access the package or executable directly" to do an intrusion.
You can always reinstall an app, particularly a core qnap one. (Or even save a local copy of it first - to another secure location :) )
You're not sure that you'll have the same settings if you reinstall a "core" Qnap app. My recommendation isn't meant for users that can backup apps. Those that really have the skills to do that properly also have the confidence and experience to ignore my advice without complaining about it.

My advice is trying to save inexperienced users from themself. Many less experienced users have endless problems with their Qnaps and much of that is probably because they do unsupported things and mess with stuff they don't fully understand...
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
DQv7Ct_un@MY
New here
Posts: 3
Joined: Sat Jan 15, 2022 7:17 am

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by DQv7Ct_un@MY »

This is like me. New NAS in December’21. New QNAP user with not much experience and learning on the fly. Thought I wanted remote access so did so using MyQNAPCloud. Very strong passwords, default admin disabled. Latest firmware and apps installed as per recommendations.
Unfortunately due to inexperience ports were opened in router and they were in and then QLocker did its stuff.
The issue says it was resolved back in April so why did this run in Jan22?
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by P3R »

DQv7Ct_un@MY wrote: Sat Jan 15, 2022 4:12 pm The issue says it was resolved back in April so why did this run in Jan22?
It's the same ransomware but a different security vulnerability was most likely used to gain access to your system this time. Think of it as QLocker2.

I'm sorry for the experience you've had with your new Qnap. :cry:
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by oyvindo »

The interesting thing is that this document tells us to update QVPN to 3.0.760 (2021/12/17) or later.
Well, my QVPN is 2.0.621 from 2019 and there are no updates available!

What do we make of that?
ImageImageImage
P3R
Guru
Posts: 13190
Joined: Sat Dec 29, 2007 1:39 am
Location: Stockholm, Sweden (UTC+01:00)

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by P3R »

oyvindo wrote: Sun Jan 16, 2022 8:25 am The interesting thing is that this document tells us to update QVPN to 3.0.760 (2021/12/17) or later.
The document also tell you that "A vulnerability has been reported to affect QNAP NAS running QVPN Service 3.x.".

You don't run QVPN Service 3.x so it doesn't seem like you would be affected by the vulnerability, at least not according to that Security Advisory. It would have been clever of them to include that information to avoid confusion, you're not the first one to misunderstand it...

My guess is that QVPN 3.x is the one with Wireguard support that come with QTS 5.0. I'm not sure though as I'm not brave enough to install QTS 5.0 on my production unit yet.

I wouldn't trust any Qnap software at all regardless of version for direct Internet exposure so I would stop using QVPN 2.x as well but that's just me.
Last edited by P3R on Sun Jan 16, 2022 8:31 pm, edited 1 time in total.
RAID have never ever been a replacement for backups. Without backups on a different system (preferably placed at another site), you will eventually lose data!

A non-RAID configuration (including RAID 0, which isn't really RAID) with a backup on a separate media protects your data far better than any RAID-volume without backup.

All data storage consists of both the primary storage and the backups. It's your money and your data, spend the storage budget wisely or pay with your data!
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by oyvindo »

Ok, thanks for your reply.
ImageImageImage
Kim28
New here
Posts: 2
Joined: Sat Jan 22, 2022 7:04 am

Re: [SECURITY NEWS] Take Immediate Actions to Secure QNAP NAS

Post by Kim28 »

derekzeanah wrote: Sun Jan 09, 2022 1:06 am I don't know where to put this so I'm assuming it's here:

How does one confirm they have not been affected by this?

In my case I have 3 QNAP devices locally, and two of them were inaccessible this morning - in the past they've been reliable as all get out. Neither have been accessible via the internet, none of that qnap ID stuff has been enabled, each uses a different (and complex, and never used elsewhere) password. The timing is just really, really, worrisome. Of course, both were updated to the most recent firmware last week (5.0.0.1891), so this could just be a firmware issue.

I pulled the power out of one and powered it back on. When it came up file sharing started again and there are no ransom notes on the filesystem. I ran the security counselor app and it didn't show any real issues. Malware scanner ran as usual. I think I'm probably fine, but the timing is suspicious, and if there's a security issue I'd like to find it on this machine (as it has a backup that's really recent) rather than the other one.

Is there something else to check to confirm it's just bad timing here?
I am running the latest QUTS 4.5.4 version and today I shut down my H1288X. Later I powered on and could not login. Using Qfinder Pro i found that the IP address for the H1288X had changed by 3 on the last part of address. I changed it back and logged in okay. No screens on login and all looked well. I then shut back down. Did you login address change?
Locked

Return to “Users' Corner”