Security ID : QSA-21-10
Multiple Vulnerabilities in Twonky Server
Release date : April 16, 2021
Affected products: QNAP NAS running Twonky Server
Severity
Important
Status
Resolved
Summary
Two vulnerabilities have been reported to affect earlier versions of Twonky Server.
- An improper access restriction vulnerability allows remote attackers to gain access to sensitive information, such as the administrator username and password for accessing Twonky Server settings.
- A weak password obfuscation vulnerability allows remote attackers to decrypt passwords easily.
Both vulnerabilities combined allow remote attackers to gain access to all content accessible to the server.
The vendor released version 8.5.2 to address the vulnerabilities.
Recommendation
To fix the vulnerability, we recommend updating Twonky Server to the latest version.
Updating Twonky Server
- Log on to QTS as administrator.
- Open the App Center and then click
.
A search box appears. - Type “Twonky Server” and then press ENTER.
Twonky Server appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Twonky Server is already up to date. - Click OK.
The application is updated.
Reference:
Revision History:
V2.0 (May 13, 2021) - The security update is available
V1.0 (April 16, 2021) - Published
