QNAP Systems, Inc. - Network Attached Storage (NAS)


Protect Your Turbo NAS from Remote Attackers - Bash (Shellshock) Vulnerabilities

Release date: October 5, 2014
Last updated: October 5, 2014
Bulletin ID: NAS-201410-05
Severity rating: Critical
CVE number: CVE-2014-6271、CVE-2014-7169、 CVE-2014-6277、CVE-2014-6278、CVE-2014-7186 and CVE-2014-7187
Affected product:
  • All Turbo NAS models except TS-100, TS-101, TS-200

GNU Bash security vulnerabilities (CVE-2014-6271、CVE-2014-7169、 CVE-2014-6277、CVE-2014-6278、CVE-2014-7186 , and CVE-2014-7187), also known as “Shellshock,” might allow remote attackers to inject malicious code via specially-crafted environment variables and run commands from the Bash shell on UNIX/Linux-based systems, including the Turbo NAS.


QTS version 4.1.1 Build 1003 has integrated the official GNU Bash patches to fix these vulnerabilities. Users are strongly advised to update their Turbo NAS units to this QTS version through live update or download the QTS update file from the Download Center (/download).

QTS 4.1.1 Build 1003 can be directly applied in the following two ways:

Live Update
Go to QTS -> Control Panel -> Firmware Update > Live Update


Manual Update

  1. Select your model and download the QTS from the QNAP website (/download)
  2. Decompress the ZIP file.
  3. Go to QTS -> Control Panel ->Firmware Update- > Firmware Update Tab

Note: A Qfix security patch will be provided later for the following cases:

  • For users who wish to continue to use QTS 4.0 and 3.8
  • For QNAP TS-109/209/409/409U NAS series owners
If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/