[SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by OneCD »

dolbyman wrote: Fri May 14, 2021 4:56 am But I guess you only fetch customers with shiny features and buzzwords like "public cloud"
I wonder how many customers who bought a QNAP in the last couple of years would be willing to buy another - given they've now seen what owning and running a QNAP actually involves? :lol:

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by dolbyman »

They could release QlTS (Qnap lite Turbo Station)

Just baseline file sharing services, no bells no whistles (but done right) .. they could even sell the 'lite' version with a license :lol: :shock:
User avatar
OneCD
Guru
Posts: 12037
Joined: Sun Aug 21, 2016 10:48 am
Location: "... there, behind that sofa!"

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by OneCD »

dolbyman wrote: Fri May 14, 2021 5:43 am They could release QlTS (Qnap lite Turbo Station)

Just baseline file sharing services, no bells no whistles (but done right) .. they could even sell the 'lite' version with a license :lol: :shock:
That’s a great idea @dm. Makes a lot of sense. So, there’s no-chance it will be adopted by QNAP. :(

ImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImageImage
syncthing
Know my way around
Posts: 136
Joined: Mon Aug 13, 2018 4:58 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by syncthing »

BTW do you have malware remover installed or not?
xavierh
Experience counts
Posts: 1118
Joined: Wed Jan 30, 2008 6:15 am
Location: Denton, Texas

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by xavierh »

Being a QNAP user since the TS-209 days, I have seen the changes that done by QNAP through the years... some of them good and some of them bad. QNAP has always been in my opinion good with their hardware but always "behind" when it comes to software functionality. and the recent security issues are becoming more and more evident that the software continues to lag behind, compared to synology for example.

i do agree with the idea of qnap providing a lighter os installation with just basic functions and everything else is provided either by QPKGs or if the user is so inclined containers. But they need to actually revamp their security from the ground up and make sure that they are on top of that game.... right now other manufactures honestly do ot need to do marketing... QNAP is doing it for them with all this issues being talked about on the internet.

having said that, i am not changing my qnap setup. i know what i am running on my devices they only run the services / applications that i need and their exposure to the internet is limited to only plex in a docker container, and i monitor my network connections. however, i am on the minority and the average joe doe snot have the knowledge or the time to deal with all this security crap so it is the responsibility of qnap to step up their game on that front.

QNAP TVS-951xQTS 5.0.0.1986 build 20220324 OS Storage Pool: Samsung 860 EVO 250GB SSD x 4 (RAID 5), Data Storage Pool: WD WD30EFRX (Red) 3TB x 4 (RAID 5), 16GB RAM WD Easystore 10TB External USB 3.0 Services: SMB, Appletalk, QPKG: Container Station, HBS 3
QNAP TS-453AQTS 5.0.0.1986 build 20220324 Services: SMB, HBS 3
Network: UDM, UDM Beacon, Unifi 8 Port Switch x 3, Flex Mini Switch, In Wall AP
scolumbo
Getting the hang of things
Posts: 68
Joined: Sat Dec 19, 2015 12:05 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by scolumbo »

I agree, I don't expose my 2 QNAPs to the internet so I feel relatively secure (I also have 3-2-1 backups), but I wouldn't recommend QNAP to anyone.

Even besides the security concerns, their frequently faulty firmware updates and inability to remove Multimedia Console and other bloatware I don't need are reasons that going forward, my next NAS will probably not be a QNAP.
syncthing
Know my way around
Posts: 136
Joined: Mon Aug 13, 2018 4:58 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by syncthing »

dolbyman wrote: Fri May 14, 2021 5:43 am They could release QlTS (Qnap lite Turbo Station)

Just baseline file sharing services, no bells no whistles (but done right) .. they could even sell the 'lite' version with a license :lol: :shock:
I guess they will do the opposite and add more bloatware which is not easy do disable, and comes back after the next reboot if you tried to delete it ...
User avatar
spile
Been there, done that
Posts: 637
Joined: Tue May 24, 2016 12:13 am

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by spile »

Given the user base...
1. Plug and pray consumers 2. Prosumers 3. Those with developer level skills

I see challenges as well as dilemmas ...

- Products are considered difficult to use for 1.
- The main competitor is considered easier to use by type 1.
- New customers to make the company viable are typically type 1.
- Without type 1. customers a company of this size is unviable.
- Bells and whistles appeal to 1. but are an anathema to 3.

The idea of a bloat free by default UI does appeal as it fulfils the needs of all with the possible exception of “do it all for me” type 1. users.
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona »

Trexx wrote: Fri May 14, 2021 4:45 am I thought you had one of the Ryzen boxes.
Never! I flirted briefly with SoC based NASes, but I'll never use an AMD based system, I require Quicksync for all my capping and encoding.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
User avatar
jaysona
Been there, done that
Posts: 846
Joined: Tue Dec 02, 2008 11:26 am
Location: Somewhere in the Great White North

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by jaysona »

OneCD wrote: Fri May 14, 2021 4:53 am Must admit, it gets harder each year to find the motivation to continue supporting QNAP. Their products are only getting worse. :(

It feels a lot like supporting a football team that never wins. Eventually, you're asking yourself "why am I supporting these guys? ¯\_(ツ)_/¯".
The difference with a football team that never wins, is at least they make legitimate efforts, the same can't be said of QNAP.
I'd be a lot happier if QNAP got back-to-basics and made solid and reliable NAS like those their name was originally built-on. :D
Agreed, QNAP back in the day (2007-2009) was just solid. I'd gladly go back to the early days prior to when ajax based version 3 was released. The initial OS was much simpler to use and maintain.
RAID is not a Back-up!

H/W: QNAP TVS-871 (i7-4790. 16GB) (Plex server) / TVS-EC1080 (32Gig ECC) - VM host & seedbox
H/W: Asustor AS6604T (8GB) / Asustor AS7010T (16GB) (media storage)
H/W: TS-219 Pro / TS-509 Pro
O/S: Slackware 14.2 / MS Windows 7-64 (x5)
Router1: Asus RT-AC86U - Asuswrt-Merlin - 386.7_2
Router2: Asus RT-AC68U - Asuswrt-Merlin - 386.7_2
Router3: Linksys WRT1900AC - DD-WRT v3.0-r46816 std
Router4: Asus RT-AC66U - FreshTomato v2021.10.15

Misc: Popcorn Hour A-110/WN-100, Pinnacle Show Center 250HD, Roku SoundBridge Radio (all retired)
Ditched QNAP units: TS-269 Pro / TS-253 Pro (8GB) / TS-509 Pro / TS-569 Pro / TS-853 Pro (8GB)
TS-670 Pro x2 (i7-3770s 16GB) / TS-870 Pro (i7-3770 16GB) / TVS-871 (i7-4790s 16GB)
timlathen@gmail.com
New here
Posts: 2
Joined: Sun May 23, 2021 1:45 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by timlathen@gmail.com »

I need help ClamAv refuses to update on my ts-120 I have no idea what to do next the antivirous wont update.
I have ssh'ed in and tried freshclam but that didn't work ether and clamav doesn't have the CVD's avaliable on the page anymore I'm not sure what to do.
timlathen@gmail.com
New here
Posts: 2
Joined: Sun May 23, 2021 1:45 pm

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by timlathen@gmail.com »

when you click on security all you get is malware remover is this the replacement?
the virous scanner was disabled after the update
my cpu is pegged at 100% and nothing is running I am so frustrated I've been at this for hours
User avatar
dolbyman
Guru
Posts: 35005
Joined: Sat Feb 12, 2011 2:11 am
Location: Vancouver BC , Canada

Re: [SECURITY ADVISORY] Command Injection Vulnerability in Malware Remover

Post by dolbyman »

if you have a malware infection, clamav does nothing ..it scans userfiles and not the nas itself

fond out what is hogging the cpu ...
Locked

Return to “Users' Corner”