11 Unpatched QNAP Flaws Exposed: WatchTowr Rings Alarm Bells for NAS Users

Don’t hit the snooze button—Infosec pros watchTowr just blew the whistle on QNAP’s sluggish patch pace. Despite an extended deadline, 11 of 15 reported vulnerabilities remain unpatched. It’s like a security siesta over there, folks. Patch or perish! #InfosecSiesta

Hot Take:

Oh, QNAP, seems like you’ve been taking a leisurely stroll down Vulnerability Lane, and now the cyber watchdogs at watchTowr are barking up your tree. Fifteen vulnerabilities and a sluggish patching pace? That’s like running a marathon with weights tied to your shoelaces. Security researchers are not your snooze button, so maybe it’s time to wake up and smell the ransomware brewing!

Key Points:

  • WatchTowr researchers found 15 vulnerabilities in QNAP operating systems, but only four have been patched.
  • QNAP acknowledged 6 unpatched bugs, all with CVEs, reported as early as December 2023, but still no patches.
  • Five bugs are under embargo or lack fixes, leaving users with potentially vulnerable devices.
  • WatchTowr extended the usual 90-day disclosure window for QNAP but eventually went public for the greater good.
  • Despite QNAP’s cooperative stance, including providing testing access, their patching speed lags behind.
Title: QTS, QuTS hero, QuTScloud
Cve id: CVE-2023-50358
Cve state: PUBLISHED
Cve assigner short name: qnap
Cve date updated: 02/13/2024
Cve description: An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.5.2645 build 20240116 and later QTS 4.5.4.2627 build 20231225 and later QTS 4.3.6.2665 build 20240131 and later QTS 4.3.4.2675 build 20240131 and later QTS 4.3.3.2644 build 20240131 and later QTS 4.2.6 build 20240131 and later QuTS hero h5.1.5.2647 build 20240118 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

Need to know more?

Playing Catch-Up with Patch-Up

WatchTowr, the guardian of internet safety, has unearthed a treasure trove of bugs in QNAP's software, but it seems like QNAP's bug-zappers are running out of juice. A whopping 15 vulnerabilities were spotted doing the conga on QNAP's operating systems, yet only four got stamped out. It's like playing Whack-A-Mole, only the moles are winning.

The Waiting Game

These cyber sleuths at watchTowr were generous with their time, giving QNAP multiple extensions beyond the standard 90-day grace period. But patience has limits, and watchTowr had to spill the beans to protect the internet masses. It's like waiting for a sloth to finish a sprint – eventually, you just have to cross the finish line for it.

Cooperation Without Speed

The researchers painted QNAP as the friendliest turtle in the race, granting access to their testing playground and showing high regard for user security. Yet, when it comes to racing against the clock, QNAP is moving at a snail's pace. It's like having a superhero who's great at saving cats from trees but can't quite stop a bank heist.

Ransomware's Favorite Playground

Let's take a trip down memory lane where QNAP devices were the popular kids on the block... for ransomware bullies. With events like Qlocker and DeadBolt asking for lunch money in Bitcoin, it's becoming clear that QNAP needs to up its game unless it wants to become the go-to piggy bank for cybercriminals.

Procrastination or Perseverance?

While it's heartwarming to hear about watchTowr's empathy for QNAP's struggle with a codebase as old as the memes about Chuck Norris, it's crunch time. With a history riddled with cyberattacks, QNAP's leisurely pace in squashing bugs could use a shot of espresso. Or maybe a whole coffee plantation.

The Bottom Line

To sum it all up, QNAP's got a bit of a security snafu on their hands, and the comfy cushion of extensions from watchTowr is wearing thin. It's time to hit the panic button, call in the code wizards, and get those patches out faster than you can say "CVE-2024-27130" three times fast. Otherwise, it's not just the bugs that'll be biting—it'll be the users too.

Tags: CVE-2024-27130, NAS security, QNAP vulnerabilities, Remote code execution (RCE), Security patch management, Unpatched Software, Vulnerability Disclosure