Security Fix for Surveillance Station Pro v3.0 & v2.0~2.5
-
- New here
- Posts: 8
- Joined: Fri Jun 07, 2013 5:17 am
Security Fix for Surveillance Station Pro v3.0 & v2.0~2.5
Hi,
you Informations are not correct.
[What is affected]
FW 3.8.2+ installed the Survillance Station Pro.
Greetings
you Informations are not correct.
[What is affected]
FW 3.8.2+ installed the Survillance Station Pro.
Greetings
-
- New here
- Posts: 8
- Joined: Fri Jun 07, 2013 5:17 am
Re: Security Fix for Surveillance Station Pro v3.0
When will a Viostor Fix released? At the moment every Viostor System is attackable?
Greetings
Greetings
-
- Experience counts
- Posts: 1346
- Joined: Sun Aug 14, 2011 5:13 am
Re: Security Fix for Surveillance Station Pro v3.0
Not a good job qnap did when reading this article:
http://www.h-online.com/security/news/i ... 83263.html
http://www.h-online.com/security/news/i ... 83263.html
-
- Easy as a breeze
- Posts: 254
- Joined: Wed May 12, 2010 10:35 pm
Re: Security Fix for Surveillance Station Pro v3.0
How nice. More reasons to love QNAP.
QNAP TS-239 Pro II | Version 4.2.6 B20181227 | 2 x 3TB - RAID-1 - WDC WD30EFRX RED
- Toxic17
- Ask me anything
- Posts: 6478
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: Security Fix for Surveillance Station Pro v3.0
Jason - what about CVE-2013-0141 as mentioned in the H security post?QNAPJason wrote:Security Advisory
[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- New here
- Posts: 8
- Joined: Fri Jun 07, 2013 5:17 am
Re: Security Fix for Surveillance Station Pro v3.0
@ Jason the CVE-2013-0141 only affects Viostor Systems. The only way to fix that problem is using one time tokens in request. But at the moment i think qnap is only working at the QNAP NAS not the QNAP Viostor. This is sad
- QNAPJason
- QNAP Staff
- Posts: 5398
- Joined: Thu May 21, 2009 2:14 pm
- Location: Taipei
Re: Security Fix for Surveillance Station Pro v3.0
Hi Envalon,
For NAS Surveillance Station Pro v3, we will remove both guest account & create_user.cgi (although the create_user.cgi is no use for NAS. This CGI is created after installing Surveillance Station).
Our NVR team is also working on the Viostor fix. Please wait for some more time.
Jason
For NAS Surveillance Station Pro v3, we will remove both guest account & create_user.cgi (although the create_user.cgi is no use for NAS. This CGI is created after installing Surveillance Station).
Our NVR team is also working on the Viostor fix. Please wait for some more time.
Jason
-
- New here
- Posts: 4
- Joined: Thu Oct 29, 2009 12:04 am
Re: Security Fix for Surveillance Station Pro v3.0
Is that means I must upgrade to QTS 4.0??QNAPJason wrote:Security Advisory
[What is affected]
Surveillance Station Pro v3.0 from QTS 4.0 could allow guest user with "ping" permission.
CWE-284: Improper Access Control CVE-2013-0142
CWE-77: Improper Neutralization of Special Elements used in a Command CVE-2013-0143
[How to fix]
Please go to App Center and upgrade Surveillance Station Pro to v3.0.1 or higher for the security fix (CWE-77).
The upcoming v3.0.2 will disable guest login completely. Please wait for 1 more day.
------------------------------------
Current Mode: 469L
OS 3.8.2
QNAP TS-409 (Dead)
QNAP TS-469L FW4.3.4.0427 build 20171223
QNAP TAS-268 FW4.3.3.0404 build 20171213
QNAP TS-469L FW4.3.4.0427 build 20171223
QNAP TAS-268 FW4.3.3.0404 build 20171213
-
- New here
- Posts: 8
- Joined: Fri Jun 07, 2013 5:17 am
Re: Security Fix for Surveillance Station Pro v3.0
Good question. Is the Survillnace Station Pro 3.0.1 only for 4.0?
Can someone with a FW 3.x.x say that he can update the Survillance Stion Pro to the 3.0.1 Version?
Can someone with a FW 3.x.x say that he can update the Survillance Stion Pro to the 3.0.1 Version?
-
- New here
- Posts: 8
- Joined: Fri Jun 07, 2013 5:17 am
Re: Security Fix for Surveillance Station Pro v3.0
can someone answer the question?
- bugmenot3
- Starting out
- Posts: 46
- Joined: Mon Mar 31, 2008 11:37 pm
Re: Security Fix for Surveillance Station Pro v3.0
SS 3.* is only running on FW 4.*
Thats is the problem for many SS user like me.
Wait and let the qnap team do their work.
Thats is the problem for many SS user like me.
Wait and let the qnap team do their work.
-
- New here
- Posts: 8
- Joined: Fri Jun 07, 2013 5:17 am
Re: Security Fix for Surveillance Station Pro v3.0
Wait???
They had two and a half weaks to work on a FIX. They released a first update (never went live) and said it fixes the problem. Than i tested and no it was still vulnerable. Now they told again they fixed the problem and will infrom customers. But this "fix" is not a real fix. Also there is no information about the Viosotor Systems. There a company viostor system reachable from the internet you can access and view cams, play records ....... On the other way there are a lot of NAS systems attackable from the internet witch TB of data. This server will probably now be attacked by hackers because the hack is so easy. Not everyone can upgrade to the FW 4.0 this evern can leads to a data loss. So sorry but qnap did a realy bad job. And its not over !
They had two and a half weaks to work on a FIX. They released a first update (never went live) and said it fixes the problem. Than i tested and no it was still vulnerable. Now they told again they fixed the problem and will infrom customers. But this "fix" is not a real fix. Also there is no information about the Viosotor Systems. There a company viostor system reachable from the internet you can access and view cams, play records ....... On the other way there are a lot of NAS systems attackable from the internet witch TB of data. This server will probably now be attacked by hackers because the hack is so easy. Not everyone can upgrade to the FW 4.0 this evern can leads to a data loss. So sorry but qnap did a realy bad job. And its not over !
- andrewyu
- Know my way around
- Posts: 212
- Joined: Fri Jul 18, 2008 8:29 pm
- Location: Taipei
- Contact:
Re: Security Fix for Surveillance Station Pro v3.0 & v2.x
To fix the issues on VioStor NVR system, please visit http://forum.qnapsecurity.com/viewtopic ... 0&t=183680 to download the latest NVR firmware.
Best regards,
Andrew
Andrew
-
- New here
- Posts: 8
- Joined: Fri Jun 07, 2013 5:17 am
Re: Security Fix for Surveillance Station Pro v3.0 & v2.x
@andreyu how did you fix the problem?
After a short look into the fw the pingping.cgi is still there. Is the input now sanitized? Is the guest account removed?
Would be nic eif you can update the demo system on your homepage
Greetings
After a short look into the fw the pingping.cgi is still there. Is the input now sanitized? Is the guest account removed?
Would be nic eif you can update the demo system on your homepage
Greetings