QNAP, the makers of Networked Attached Storage (NAS) devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company’s products.
Home and small office NAS devices, which typically range in size from that of a small dictionary to that of a large encyclopedia, provide you with the ready-to-go convenience of cloud storage, but in the custodial comfort of your own network.
Loosely speaking, a NAS device is like an old-school file server that connects directly to your LAN, so it’s accessible and usable even if your internet connection is slow or broken.
Unlike an old-school file server, however, the operating system and file-serving software are preinstalled and preconfigured for you, as part of the device, so it Just Works.
No need to learn how to install Linux and Samba, or to wrangle with Windows Server licences, or to specify and build a server of your own and administer it.
NAS boxes typically come with everything you need (or with disk slots into which you add your own commodity disk drives of a suitable capacity), so you need to do little more than plug a power lead into the NAS, and hook up a network cable from the NAS to your router.
No need to buy a USB drive for every laptop and desktop you own, because the NAS can be shared, and used simultaneously, by all the devices on your LAN.
Configuring and managing the NAS can be done from any computer on your network, using a web browser to talk to a dedicated web server that’s ready and waiting on the NAS itself.
Convenience versus cybersecurity
Of course, the easy-to-use and ready-to-go nature of NAS devices comes with its own challenges:
- What if your NAS device ends up accessible from the internet? Even on your LAN, there’s a risk that malware on one internal device could harm data shared by all your devices, but a NAS box that’s visible from the internet is at permanent risk from potential attackers all over the world.
- What if the operating system software on the NAS has security holes? Many NAS boxes are based on a distribution of Linux that’s specific not only to the vendor but often also to the specific device. You may be unable to install updates yourself even if you are able to figure out which patches are needed, so you have to rely on the vendor for updates.
- What if the NAS web server sofware has security bugs? You don’t get to choose which web server, or which version, is used for configuring and managing the device. Once again, you typically need to rely on the vendor for security updates.
QNAP inherits bugs from Apache
QNAP’s devices generally use httpd
, the popular Apache HTTP Server Project, running on a customised distro of Linux.
(Apache is the name of a software foundation that looks after a web server project amongst hundreds of others; although many people use “Apache” as shorthand for the web server, we recommend you don’t, because it’s confusing, rather like referring to Windows as “Microsoft” or to Java as “Oracle”.)
Just over a month ago, Apache released version 2.4.53 of its HTTP Server, fixing several CVE-tagged bugs, including at least two that could lead to crashes or even remote code execution (RCE).
Unfortunately, QNAP hasn’t yet pushed out the HTTP Server 2.4.53 update to its own devices, although it is now warning that two of the bugs that were fixed, CVE-2022-22721 and CVE-2022-23943, do affect some of its products.
Fortunately, exploiting those bugs relies on features in the HTTP Server code that are not enabled by default on QNAP devices, and that you can easily turn off temporarily if you have enabled them.
What to do?
The bugs and their workarounds are:
- CVE-2022-22721. A web client sending in a supersized HTTP request could cause a buffer overflow, thus provoking a server crash or even leading to an exploitable code execution hole. Check that the HTTP Server configuration setting
LimitXMLRequestBody
is set to 1MByte (the default) or below. - CVE-2022-23943. If you have turned on the Apache HTTP Server
mod_sed
extension, which allows you to set up incoming and outgoing content filtering rules, you may be vulnerable to memory mismangement bugs if extrasupersized HTTP requests (bigger than 2Gbyte!) are received. We’re not sure why you would need to turnmod_sed
on, but QNAP seems to think there may be customers who are using this feature. Check thatmod_sed
is not enabled. (The namemod_sed
is shorthand for stream editing module, meaning that it can apply text editing rules to requests as they arrive, or to replies just before they’re sent out.)
QNAP says it intends to patch its devices, promising that it “will release security updates as soon as possible”, although we don’t want to guess how soon that will be, given that Apache itself made the patches publicly available just over five weeks ago.
You can keep your eye out for QNAP updates via the company’s decently laid-out Security Advisories page.
While you’re about it, remember that it’s very unlikely that you want a NAS of your own to be accessible from the internet side of your router, because that would leave it directly exposed to automated scanning, discovery and probing by cybercriminals.
Therefore we recommend the following precautions, too:
- Don’t open your network servers up to the internet unless you really mean to. QNAP has advice on how to prevent your NAS device from receiving connections from the public internet by mistake, thus preventing your device from being accessed or even discovered in the first place. Perform a similar check for all the devices on your network, just in case you have other private devices that can inadvertently be “tickled” from the internet.
- Don’t use Universal Plug-and-Play (UPnP). UPnP sounds very useful, because it’s designed to allow routers to reconfigure themselves automatically to make setting up new devices easier. But it comes with enormous risks, namely that your router might inadvertently make some new devices visible through the router, thus opening them up unexpectedly to untrusted users on the internet. Explicitly disable UPnP on every device that supports it, including on your router itself. If you have a router with UPnP that won’t let you turn it off, get a new router.
DanniBoy
One of the supposed advantages I’ve seen for a NAS device is that it can be connected to the internet so that it can be accessed away from your base, but my rather limited computer skills mean I’m too worried to even think of doing this.
Is it possible to do it, even though your remarks above suggest this is not possible?
Paul Ducklin
I sort of skirted the question by saying, “Don’t open your network servers up to the internet unless you really mean to”, rather that, “It can’t be done, and please don’t try” :-)
One solution is to run a proper firewall between your regular modem or modem/router combo (the device that plugs into your phone line or into your ISP’s fibre connector to complete your physical internet hookup) and the rest of your network. For example, if you have a spare laptop handy, you could set up a full-on Sophos XG Firewall Home Edition and use that as your network boundary protection.
A fully-featured firewall like the Sophos one will include a VPN (virtual private network) or ZTNA (zero-trust network access) component that requires you to login to the firewall first, after which you get a virtual “network position” on the LAN side of the firewall, with the firewall deciding which internal services you can access. From there, if you have access to the NAS device, you can login to the NAS as though you were connected directly to the LAN.
So you don’t need to have the NAS box itself directly exposed to the internet; you let the firewall act as the secure connection point for accessing the NAS box as though you were at home.
I’ll be honest and say that setting up the Sophos Home Firewall isn’t as easy as setting up the average, stripped-down-for-simplicity SoHo router, because you’re setting up a business grade firewall with all the features you’d expect that sort of product to have (VPN, email filtering, web filtering, malware scanning, including scanning inside HTTPS if you want, intrusion prevention, bandwidth shaping, the lot – the Home Edition licence activates the works for $0)…
…but if you’ve ever thought of learning more about business-grade firewalls, here’s a chance to learn for free, while using the product for extra protection in real life!
For more info, see:
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
DanniBoy
Great, I’ll look into this as soon as I can.
Thanks for replying.