QNAP Systems, Inc. - Network Attached Storage (NAS)

Language

An Urgent Fix on the Reported Infection of a Variant of GNU Bash Environment Variable Command Injection Vulnerability

Release date: December 12, 2014
Last updated: December 12, 2014
Bulletin ID: NAS-201412-12
Severity rating: Critical
Affected product:
  • All Turbo NAS series with firmware versions prior to 4.1.1 build 1003 and are not applied with Qfix 1.0.2 build 1008
Summary

Regarding the reported instances of infection exploited from Bash (Shellshock) vulnerability on the QNAP NAS systems (with firmware versions prior to 4.1.1 build 1003 and are not applied with Qfix 1.0.2 build 1008), we provide a method for users to check their systems and remove the infection if it is found. Customers who have found an unusually large amount of Internet traffic generated from their NAS should continue reading the following sections and perform the remediation procedure as instructed.

Solution

Check for possible infections

Follow these steps to check for signs of infection:

  1. Log into the NAS with an SSH connectivity tool. You will see that the Shell prompt has been modified to [admin@NAS-NAME ~] instead of [~]
  2. Check the shadow and passwd files in /etc/config/shadow and /etc/config/passwd respectively using the cat command. Look for the suspicious username “request”. This user has the same user ID as the admin user (UID 0).
    QNAP
  3. There will be a folder "optware" on the main data volume (e.g. /share/MD0_DATA/optware).
    QNAP
  4. Check for abnormal .cgi processes by entering the command: ps | grep cgi:
    	 8372 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8373 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8374 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8376 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8377 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8379 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8380 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8381 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8382 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8383 admin                                S       1724 18432  0.0  0.3 .cgi
    	 8384 admin                                S       1724 18432  0.0  0.3 .cgi

If your system shows these signs, choose one of the following methods to clear the malware.

Method 1: Reinitialize your NAS to clear the malware.

Note: This method will clear all data in the NAS. Make sure you backup your data first!

  1. Isolate the NAS from any internet-connected networks.
  2. Back up any data which you do not want to lose on the NAS.
  3. Power off the NAS and remove all HDDs.
  4. Power on the NAS while all HDDs are still disconnected. The NAS will come online with default settings.
  5. Connect to the NAS by an SSH client such as PuTTY (Windows) or Terminal (Mac OS). For instruction on how to use PuTTY, see:
    https://docs.google.com/document/d/1ntaKUsmEoA6rK_0xmibeaDrDT7gdHKm_uq5av1piTvw/edit?usp=sharing.
  6. Copy and paste the exact command below, and press enter: For ARM CPU models: mount -t ext2 /dev/mtdblock5 /tmp/config && rm /tmp/config/autorun.sh; umount /tmp/config
    For Intel CPU models: mount -t ext2 `ls -1 /dev/sd*|grep 6` /tmp/config && rm /tmp/config/autorun.sh; umount /tmp/config
  7. Connect to the NAS with a browser and continue with the quick setup. You must select a disk configuration (Single, RAID, JBOD) in the final step; otherwise, the malware will not be cleared! This action will also re-format any data on the NAS.

Method 2: Manually clear the malware.

It is recommended that only experienced system administrators who fully understand the implications of these changes perform the operations provided here.

  1. Mount the filesystem:
    mount /dev/mtdblock5 /tmp/config (for ARM models)
    or
    mount /dev/sdX6 /tmp/config (for Intel models, where where X can be found by the output of the command: ls -1 /dev/sd* | grep 6)
  2. Enter the command to remove the injected autorun.sh script:
    rm /tmp/config/autorun.sh
  3. Unmount the filesystem:
    umount /tmp/config
  4. Remove the ‘optware’ folder found in step 3 in checking the system for infection:
    rm –r /’PathTo’/optware
  5. Log into your Turbo NAS as the admin, go to “Control Panel”>”Users” and delete unknown usernames such as "request".
  6. Reboot the system.
  7. Update your system to the latest firmware version. For instructions on firmware update, go to the Firmware Update Section.

Firmware Update

Live Update

Go to “Control Panel” > “Firmware Update” and select the “Live Update” tab

QNAP

Manual Update

  1. Go to the QNAP website (/download) and choose your Turbo NAS model.
  2. Select "Firmware", find the latest firmware from the list and choose to download from the Global, European or United States server depending on your location.
  3. Decompress the ZIP file.
  4. Login to your Turbo NAS as the admin, go to “Control Panel” > “Firmware Update” and choose the “Firmware Update” tab.
QNAP
If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/