Security Advisory for Command Injection in QTS and in Media Streaming Add-On

Summary

Adam Bell from Lateral Security reported a possible command injection issue in the Media Streaming Add-On application. QNAP appreciates Mr. Bell’s efforts to inform the company about the issue.

Based on the report and internal research, all QNAP NAS devices currently or previously installed with the Media Streaming Add-On application may be vulnerable. If successfully exploited, a user may gain access to the NAS and execute a malicious code without requiring any privileges.

The latest versions of QTS and of the Media Streaming Add-On application include security fixes for the vulnerability.

Recommendations

To fix this vulnerability, you must install QTS 4.2.6 build 20170905 or QTS 4.3.3.0262 build 20170727, and install one of the following Media Streaming Add-on updates.

• QTS 4.3.x: Media Streaming Add-On 430.1.4.1 or later
• QTS 4.2.x: Media Streaming Add-On 421.1.1.1 or later

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.

Tip: You can also download the update from the QNAP website. Go to Support > Download and then perform a manual update.

Installing the Media Streaming Add-On Update

1. Go to App Center > My Apps.
2. Click Media Streaming Add-On.
3. Click Update.

Note: The Update button is not available if you are using the latest version.

 

If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/