If you own a network storage (NAS) from Qnap, you should bring the software up to date due to several security gaps. However, not all devices are affected by the gaps. Some of the manufacturer’s switch models are also vulnerable.
One “critical“Vulnerability (CVE-2021-34344) only affects NAS systems running the QUSBCam2 software. The vulnerability can serve as a gateway for malicious code. Qnap claims to have equipped the following versions against such attacks:
- QTS 4.5.4: QUSBCam2 1.1.4 (2021/07/30)
- QTS 4.3.6: QUSBCam2 1.1.4 (2021/07/30)
- QuTS hero h4.5.3: QUSBCam2 1.1.4 (2021/07/30)
The other two too “critical “ Malicious code holes (CVE-2021-34345, CVE-2021-34346) do not affect all NAS models. But only those on which NVR Storage Expansion is running. The developers claim to have fixed NVR Storage Expansion 1.0.6 (2021/08/03).
Three more loopholes (CVE-2021-28816 “high“, CVE-2021-34343 “high“, CVE-2018-19957 “middle“) threaten all NAS models. Qnap lists the patched QTS versions in warning messages.
Other devices are vulnerable
The router model QSW-M2116P-2T2S and all routers with QuNetSwitch can be attacked via a security hole (CVE-2021-28813 “high”). If attacks are successful, attackers could see sensitive information. These versions are prepared for this:
- QSW-M2116P-2T2S 1.0.6 build 21071
- QGD-1600P: QuNetSwitch 188.8.131.52
- QGD-1602P: QuNetSwitch 184.108.40.2069
- QGD-3014PT: QuNetSwitch 220.127.116.119