QNAP Systems, Inc. - ネットワーク接続ストレージ(NAS)

Language
Back to Security Advisory List

Security Advisory for Meltdown and Spectre Vulnerabilities

  • Release date: January 8, 2018
  • Security ID: NAS-201801-08
  • Severity: High
  • CVE identifier: CVE-2017-5715 | CVE-2017-5753 | CVE-2017-5754
  • Affected products: Several QNAP NAS models (The list will be updated after our ongoing investigation.)

Summary

Two major security flaws—Meltdown and Spectre—were found in a number of widely-used processors. Meltdown (CVE-2017-5754) affects Intel and ARM processors, while Spectre (CVE-2017-5715, CVE-2017-5753) affects several processors from Intel, ARM, and AMD. If exploited, these vulnerabilities may allow remote attackers to access sensitive data.

We have identified a number of affected QNAP NAS models. You can find the comprehensive list below. We are currently working on software updates to fix these vulnerabilities.

We will continue updating this advisory with the latest information.

Affected NAS models

Enterprise NAS

8-bay:
TS-879 Pro
TS-879U-RP
TS-EC879U-RP
TS-EC880 Pro
TS-EC880U R2
TS-EC880U-RP
TVS-EC880
10-bay:
TS-1079 Pro
TS-EC1080 Pro
TVS-EC1080 TVS-EC1080+
12-bay:
SS-EC1279U-SAS-RP
TS-1279U-RP
TS-EC1279U-RP
TS-EC1279U-SAS-RP
TS-EC1280U R2
TS-EC1280U-RP
TVS-EC1280U-SAS-RP
TVS-EC1280U-SAS-RP R2
15-bay:
TVS-EC1580MU-SAS-RP TVS-EC1580MU-SAS-RP R2  
16-bay:
ES1640dc
ES1640dc v2
TDS-16489U
TS-1679U-RP
TS-1685
TS-EC1679U-SAS-RP
TS-EC1679U-RP
TS-EC1680U R2
TS-EC1680U-RP
TVS-EC1680U-SAS-RP
TVS-EC1680U-SAS-RP R2
18-bay:
TES-1885U    
24-bay:
TS-EC2480U R2 TVS-EC2480U-SAS-RP TVS-EC2480U-SAS-RP R2
TS-EC2480U-RP    
30-bay:
TES-3085U    
SMB NAS
1-bay:    
TS-131    
2-bay:    
TS-231
TS-239 Pro
TS-239 Pro II
TS-239 Pro II+
TS-239H
TS-253 Pro
TS-253A
TS-253B
TS-259 Pro
TS-259 Pro+
TS-269 Pro
TS-269H
TS-269L
4-bay:    
IS-400 Pro
IS-453S
SS-439 Pro
TBS-453A
TS-431
TS-431U
TS-431X
TS-431X2
TS-431XeU
TS-431XU
TS-431XU-RP
TS-439 Pro
TS-439 Pro II
TS-439 Pro II+
TS-439U-RP/ SP
TS-451
TS-451S
TS-451U
TS-453 mini
TS-453 Pro
TS-453A
TS-453B
TS-453B mini
TS-453BT3
TS-453BU
TS-453BU-RP
TS-453S Pro
TS-453U
TS-453U-RP
TS-459 Pro
TS-459 Pro II
TS-459 Pro+
TS-459U-RP/SP
TS-459U-RP+SP+
TS-463U
TS-463U-RP
TS-469 Pro
TS-469L
TS-469U-RP
TS-469U-SP
TS-470
TS-470 Pro
TS-470U-SP
TS-470U-RP
TVS-463
TVS-470
TVS-471
TVS-471U
TVS-471U-RP
TVS-473
TVS-473e
5-bay:
TS-531P
TS-531X
TS-559 Pro
TS-559 Pro II
TS-559 Pro+
TS-563
TS-569 Pro
TS-569L
6-bay:
TS-639 Pro
TS-651
TS-653 Pro
TS-653A
TS-653B
TS-659 Pro
TS-659 Pro II
TS-659 Pro+
TS-669 Pro
TS-669L
TS-670
TS-670 Pro
TS-677
TVS-663
TVS-670
TVS-671
TVS-673
TVS-673e
TVS-682
TVS-682T
8-bay:
SS-839 Pro
TS-809 Pro
TS-809U-RP
TS-831X
TS-831XU
TS-831XU-RP
TS-851
TS-853 Pro
TS-853A
TS-853BU
TS-853BU-RP
TS-853S Pro
TS-853U
TS-853U-RP
TS-859 Pro
TS-859 Pro+
TS-859U-RP
TS-859U-RP+
TS-863U
TS-863U-RP
TS-869 Pro
TS-869L
TS-869U-RP
TS-870
TS-870 Pro
TS-870U-RP
TS-873U
TS-873U-RP
TS-877
TVS-863
TVS-863+
TVS-870
TVS-871
TVS-871T
TVS-871U-RP
TVS-873
TVS-873e
TVS-882
TVS-882BR
TVS-882BRT3
TVS-882S
TVS-882ST2
TVS-882ST3
TVS-882T
12-bay:
TS-1231XU
TS-1231XU-RP
TS-1253BU
TS-1253BU-RP
TS-1253U
TS-1253U-RP
TS-1263U
TS-1263U-RP
TS-1269U-RP
TS-1270U-RP
TVS-1271U-RP
TS-1273U
TS-1273U-RP
TS-1277
TVS-1282
TVS-1282T
TVS-1282T3
15-bay:
TVS-1582TU    
16-bay:    
TS-1635 TS-1673U TS-1673U-RP
18-bay:
SS-EC1879U-SAS-RP    
24-bay:
SS-EC2479U-SAS-RP    
   
Home & SOHO NAS
1-bay:    
TS-131P    
2-bay:    
TS-231+
TS-231P
TS-231P2
TS-251
TS-251+
HS-251
TS-251A
TS-251C
HS-251+
4-bay:    
TS-431+
TS-431P
TS-431P2
TS-451+
TS-451A

Recommendations:

Since attackers may attempt to compromise QNAP devices using malicious code and applications, QNAP recommends the following precautions:

  • Do not install applications from unknown third-party sources.
  • Do not open or run unknown virtual machine (VM) images on your device.
  • Do not run unknown software in Container Station.

 

Revision History:
• V1.2 (January 16, 2018) - Updated the list of affected products
• V1.1 (January 11, 2018) - Updated with the initial list of affected products and recommendations
• V1.0 (January 8, 2018) - Published