Vulnerability in legacy QTS with NFS service enabled

Summary

A vulnerability has been reported to affect certain legacy QTS environments utilizing the NFS (Network File System) service. If exploited, the vulnerability allows attackers to perform actions and potentially gain access due to the misconfiguration of NFS settings.

We have already fixed the vulnerability in the following version:

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

We also recommend strengthening NFS access control for your shared folders.

Updating QTS

1. Log in to QTS as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Strengthing NFS Access Control for Shared Folders

We recommend reviewing and adjusting the NFS permission settings Host / IP / Network and Squash Option for all affected shared folders. The following steps will help you further strengthen NFS access control and mitigate security risks caused by improper configuration.

1. Log in to QTS as an administrator.
2. Go to Control Panel > Privilege > Shared Folders > Shared Folder.
3. Identify a shared folder.
4. Under Action, click the Edit Shared Folder Permission icon.
   The Edit Shared Folder Permission window opens.
5. Next to Select permission type, select NFS host access.
6. Select Access right.
7. Under Host / IP / Network, replace the wildcard value * with a specific IP address or domain name.
   This ensures only specific IP addresses or domain names can access the shared folder via NFS.
   Tip: To specify additional IP addresses or domain names, click Add.
8. For each entry, under Squash Option, select Squash all users.
   This enforces stricter access control and minimizes the risk of unauthorized privilege usage.
9. Click Apply.
   The system saves the shared folder permission settings.
10. Repeat the above steps to configure the NFS settings for additional shared folders.