QNAP information security risk

[Qpace]

So I wanted to open a thread about security practices with QNAP NAS's.
I see many people on the forum constantly reminding others not to directly expose their NAS to the internet, and I agree with this recommendation,
however, I also see many people recommending app installs from QNAP club.

Now I'm sure the developers in Qnap club have the best intensions at heart, but it has to be said, when you install applications form
an unknown source you are putting your data at risk just as much as opening the NAS to direct remote access.

If you have confidential information on your NAS, you need to think very carefully if that packaged app you really want is really worth the risk.
Just because you cannot remotely access the NAS directly, doesn't prevent the NAS from sending data out to the wider internet.

How do other see this and quantify this risk?


Regards,

[dolbyman]

We have never heard of NAS units getting infected from installing qpkg's..so where exactly is the "just as much at risk" FUD coming from?

[FSC830]

My guess its not an infection he is worrying about, but that apps at NAS sends some critical data to somewhere else.
For that there is also a very simple solution: dont allow outgoing traffic from NAS if your data is so sensitive.
This also means: check manually for newer QTS/app versions. Access from outside by VPN is possible anyhow, just use a "jump" host inside your LAN.
NAS can communicate inside, but not to external (i.e. no gateway).

Regards

[Qpace]

We have never heard of NAS units getting infected from installing qpkg's..so where exactly is the "just as much at risk" FUD coming from?

I wouldn't say that any of this is FUD, and just because systems do not have an infection, doesn't mean that data isn't being exfiltrated or there is no risk.
We are talking about NAS units that are used not only by individuals, but also businesses. Data leakage for the most parts is not detected, unless of course
huge amounts of data is moving and reducing bandwidth which prompts investigation.

I agree with @FS830 that the best way to avoid this is to block traffic from the NAS leaving the local network. The point here though is that most
people may be unaware of this, especially when all we focus on is the risk of exposing a NAS directly to the internet.

The Qnap Club is a great resource, however we also need to accept that it is not a secure resource, especially when many of the packages are installed with full admin privileges.

[dolbyman]

If you are a business you shouldn't install any homebrew or whatnot on your NAS anyways, official images of whatever programs are needed to be used and installed in VMs or Containers

QNAPClub is dead anyways, a new repo has been opened

The FUD was about comparing a web exposed NAS to the risk of a rogue (upstream) app developer

[Qpace]

If you are a business you shouldn't install any homebrew or whatnot on your NAS anyways, official images of whatever programs are needed to be used and installed in VMs or Containers

QNAPClub is dead anyways, a new repo has been opened

You certainly shouldn't, but I know many of small businesses, or small IT departments that take the easy route.

[jaysona]

FUD = Fear, Uncertainty & Doubt.

This is exactly what is being spread by Qpace by trying to make a theoretical risk appear to be a widely realized risk.

....
We are talking about NAS units that are used not only by individuals, but also businesses. Data leakage for the most parts is not detected, unless of course
huge amounts of data is moving and reducing bandwidth which prompts investigation.
....

Any business that installs any software without first conucting a risk assessment is just plain negligent and deserves whatever comes their way due to their poor business practices.

The majority of the QPKGs are noting more than software taken from a git repo which is them compiled and packaged for a particular QNAP CPU architecture. Much of it can be mostly automated. The bulk of the QPKG packagers also happen to be frequent posters on the forums here.

The git various repos have been exploited far more frequently than any QNAP QPKG. As data exfiltration goes, QPKG exploits would be more of a specifically targeted attack vs casing a wide net. there are just too few businesses using such QPKGs vs the potential for poisoning a git repo.

[Moogle Stiltzkin]

So I wanted to open a thread about security practices with QNAP NAS's.
I see many people on the forum constantly reminding others not to directly expose their NAS to the internet, and I agree with this recommendation,
however, I also see many people recommending app installs from QNAP club.

Now I'm sure the developers in Qnap club have the best intensions at heart, but it has to be said, when you install applications form
an unknown source you are putting your data at risk just as much as opening the NAS to direct remote access.

If you have confidential information on your NAS, you need to think very carefully if that packaged app you really want is really worth the risk.
Just because you cannot remotely access the NAS directly, doesn't prevent the NAS from sending data out to the wider internet.

How do other see this and quantify this risk?


Regards,

i'm pretty sure someone is going to misconstrue what i said and tailor some strawman arguement

so before that happens

pertaining to insecure qpkgs. i only highlighted that observation of some container apps like photo station, video station , music station (seems to be a pattern here ) etc... these tend to require patching every so often to fix some vulnerability yet again. to the point i wonder if you are simply better off not installing those apps, if you plan to do remote access, so that it is one thing less to worry about.


this was just an example of the issue i was worried about (it has probably been patched by now fyi). but if not mistaken, even in that situation, they still required the user to have inappropriately exposed their nas online. and in that example someone certainly did, and so the hacker proceded to make use of that vulnerability for that particular app (on an unpatched nas. either the patch was not released on time, or someone was negligent in updating their nas and qpkgs)

QNAP QTS and Photo Station 6.0.3 - Remote Command Execution | Hack site
https://www.youtube.com/watch?v=sNZOJI_gD48

i use qpkgs like photo station just fine, but at the same time i don't expose my nas or do any sort of remote access, so my risk is much smaller than those who do. and i always update.


as for other qpkgs, no idea. but people were quick enough to put words in my mouth to make something out of nothing

but one aspect of qpkgs, if you install them from untrusted sources, then those qpkgs could be fakesmalicious aka malware. this is why when installing qpkgs, best get them from appcenter, or from qnapclub.eu Beyond that, is very risky.

Within qts there is a verify qpkg, but i noticed that even trusted sources, sometimes their qpkgs don't get validated. No idea whether they improved on that process or not.


docker containerized apps can be setup to be non root users. but in the guide i recently posted on unifi controller, that particular guide had it running as root mode. but on a risk asessment, if you only do lan setting, then maybe even in that setup it should be fine.



then you had the other situation with qsnatch, deadbolt and other similar apps. in the case of deadbolt, it was a zero day vulnerability, meaning no one knew it existed for many months. and by the time it was discovered, it had already infected/wrecked havoc to many exposed QNAP NAS out there (the damage had already been done). Then it took some more time before a patch was released. So the moral of the story pertaining to zero day vulnerabilities, if you don't want to be put in that situation, DO NOT expose the nas online. i doubt there is any good solution to that other than not exposing the nas.

https://www.itpro.com/security/ransomwa ... are-attack
https://www.zdnet.com/article/thousands ... h-malware/


some users claimed they got hit even when not exposing their nas (in regards to qsnatch/deadbolt). but from some investigators, they mentioned that an improperly disinfected nas can still carry over the infection to the unbeknownst owner, so their misconception why they got infected even after not exposing after the fact. In my case i'm always lan only no remote, so was not affected (i even ran the checks to confirm this)

So this is why people keep saying you are better of not exposing your nas online.

QNAPClub is dead anyways, a new repo has been opened

what repo?

[Qpace]

FUD = Fear, Uncertainty & Doubt.

This is exactly what is being spread by Qpace by trying to make a theoretical risk appear to be a widely realized risk.

....
We are talking about NAS units that are used not only by individuals, but also businesses. Data leakage for the most parts is not detected, unless of course
huge amounts of data is moving and reducing bandwidth which prompts investigation.
....

Any business that installs any software without first conucting a risk assessment is just plain negligent and deserves whatever comes their way due to their poor business practices.

The majority of the QPKGs are noting more than software taken from a git repo which is them compiled and packaged for a particular QNAP CPU architecture. Much of it can be mostly automated. The bulk of the QPKG packagers also happen to be frequent posters on the forums here.

The git various repos have been exploited far more frequently than any QNAP QPKG. As data exfiltration goes, QPKG exploits would be more of a specifically targeted attack vs casing a wide net. there are just too few businesses using such QPKGs vs the potential for poisoning a git repo.

Clearly you seem to have ignored the intent of this message.

I've seem many many times on this forum people respond with "DON'T EXPOSE YOUR NAS TO THE INTERNET", without this being classified as FUD.
It seems however if I raise the exact same issue of supply chain attacks, and trusted sources its now classified as a theoretical risk.
To me this seems a little ignorant to the actual issues of InfoSec and proper due diligence.

To suggest that github is somehow immune to rogue code, is really just uninformed.
Unless you personally know the developer, you have seen their SDLC, reviewed what libraries they use, and understand the real risk to your business, then you are living with a false sense of security.
To state that any business that doesn't do a risk assessment "deserves what ever comes their way" only goes to show that the people who make these comments have no real idea of how SMB operate.
There are many mom & pop business looking to get setup, maybe even expand a little, they don't have a tech department or even understand how to do a risk assessment.
Comments like jaysona only goes to show how damaging a little knowledge can be.

As a community we need to always be calling out the risk, not just about having your NAS internet facing, but also about having it just connected to the internet, via untrusted (and I stand by that statement) developers.

[dolbyman]

Not exposing the NAS to WAN is no FUD..see the two still active malware threads for deadbolt and Qlocker ...so it's very much real and not theoretical

[FSC830]

...
For that there is also a very simple solution: dont allow outgoing traffic from NAS if your data is so sensitive.
This also means: check manually for newer QTS/app versions. Access from outside by VPN is possible anyhow, just use a "jump" host inside your LAN.
NAS can communicate inside, but not to external (i.e. no gateway).
...

I quote myself. The risk is theoretical!
If you cut the line to internet from your NAS (cut by means of firewall policy/network infrastructure, ...) your NAS can not send any data to elsewhere!
So where do you see a risk?
And no one ignored the intent of this tread, but the solution is simple (see above) - no outgoing connection!

Regards

[Qpace]

I completely agree with the action of isolating the NAS from any internet access.
There is obviously a big difference between not having your NAS internet facing, and not allowing any internet access at all.

I just feel that we need to be clearer to users of the forum, that there is significant risk, not only by exposing your NAS to the internet,
but also allowing your NAS to have internet access, especially if you are installing apps from non approved repositories, and running those apps with full admin privileges.

[dolbyman]

I just feel that we need to be clearer to users of the forum, that there is significant risk, not only by exposing your NAS to the internet,

But as said before, if you are that afraid of 3rd party apps, run them in a virtual environment.

The amount of times I have seen all sorts of "freeware" tools on corporate server installs because they do task 'xyz' better than scripting it yourself in (power)shell, it's the same thing.

And as there was never a single case reported that a developer has planted any malware in any of the official or repo apps, I still wouldn't call this 'significant', but rather 'theoretical'

[Qpace]

Well we certainly have a difference of opinion then. I've seen many developers embed malicious code into official repos, especially Github.
I've witnessed Github repos being compromised via supply chain attacks, and i've see official library repositories compromised, with these libraries being used in corporate offerings. I guess we just have different visibility and exposure to what is actually happening in the world.

In fact if you happen to follow cyber-warfare related to social and geopolitical events, you would notice an excessive increase in these types of attacks. In February alone these rose briefly by 800% in Europe, following the war in the Ukraine.

I can understand how anything can be seen as theoretical when you don't fully understand the subject matter.

[spile]

I can understand how anything can be seen as theoretical when you don't fully understand the subject matter.

When I am making a judgment call questioning a posters understanding, I will take into account how long someone has been a member of that particular forum as also the number and quality of responses they give to help requests from others.