[SECURITY ADVISORY] Security Advisory for Malware on QTS - NAS-201902-13

[Toxic17]

Security Advisory for Malware on QTS
Release date: February 13, 2019
Security ID: NAS-201902-13
Severity: High
CVE identifier: N/A
Affected products: To be confirmed
Summary
A recently reported malware is known to affect QNAP NAS devices. We are currently analyzing the malware and will provide the solution as soon as possible.

If you have any questions regarding this issue, please contact us through the QNAP Helpdesk.

Recommendation
To avoid possible exploits, you must:

Manually update Malware Remover to the latest version.
Update QTS to the latest version.
Update all apps installed on your NAS.
In case you encounter problems or receive the following error message while updating Malware Remover, please wait for the solution:

[App Center] Failed to install MalwareRemover. Model does not support MalwareRemover.

Manually Installing and Running the Latest Version of Malware Remover
On your web browser, go to the QNAP App Center.
Select your QTS version.
The application list appears.
Locate and click Malware Remover.
The Malware Remover download window appears.
Identify your processor type, and then click Download.
Your system downloads the installer zip file.
Extract the installer file.
Log on to QTS as administrator.
Open App Center, and then click .
The manual installation dialog box appears.
Read the instructions, and then click Browse.
The file broswer appears.
Locate and select the installer file.
Click Install.
A confirmation message appears.
Click OK.
QTS installs the latest version of Malware Remover.
A confirmation message appears.
Click OK.
The required updates dialog box appears.
Click Update Now.
QTS updates Malware Remover to the latest version.
Open Malware Remover.
Click Start Scan.
Malware Remover scans the NAS for malware.
Installing the QTS Update
Log on to QTS as administrator.
Go to Control Panel > System > Firmware Update.
Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Updating All NAS Applications
Log on to QTS as administrator.
Open App Center.
Locate Install Updates on the upper right corner of the screen.
Click All.
A confirmation message appears.
Click OK.
QTS updates all installed applications.


Revision History: V1.0 (February 13, 2019) - Published

[Toxic17]

Still this advisory has not yet been updated.

Affected products: To be confirmed

Revision History: V1.0 (February 13, 2019) - Published

[Blackbar7]

Still this advisory has not yet been updated.

Affected products: To be confirmed

Revision History: V1.0 (February 13, 2019) - Published

What did you expect from qnap?
I am asking for about years to upgrade php. No luck.

[Toxic17]

The php 7.x upgrade will break most QNAP web apps supported by them now, so they would need to update PHP, then update all web apps to support php7.x and only then, release all of them together.

[Toxic17]

Update from QNAP at last.

Affected products: QNAP NAS devices with QTS 4.2.6 build 20181227,
QTS 4.3.3 build 20190102,
QTS 4.3.4 build 20190102,
QTS 4.3.6 build 20181228 and earlier versions

more info here:

https://www.qnap.com/en-au/security-adv ... -201902-13

Revision History:
V1.1(April 19, 2019) - Update Affected Products, Summary and Recommendation
V1.0 (February 13, 2019) - Published