QNAP, the makers of Networked Attached Storage (NAS) devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company’s products.
Home and small office NAS devices, which typically range in size from that of a small dictionary to that of a large encyclopedia, provide you with the ready-to-go convenience of cloud storage, but in the custodial comfort of your own network.
Loosely speaking, a NAS device is like an old-school file server that connects directly to your LAN, so it’s accessible and usable even if your internet connection is slow or broken.
Unlike an old-school file server, however, the operating system and file-serving software are preinstalled and preconfigured for you, as part of the device, so it Just Works.
No need to learn how to install Linux and Samba, or to wrangle with Windows Server licences, or to specify and build a server of your own and administer it.
NAS boxes typically come with everything you need (or with disk slots into which you add your own commodity disk drives of a suitable capacity), so you need to do little more than plug a power lead into the NAS, and hook up a network cable from the NAS to your router.
No need to buy a USB drive for every laptop and desktop you own, because the NAS can be shared, and used simultaneously, by all the devices on your LAN.
Configuring and managing the NAS can be done from any computer on your network, using a web browser to talk to a dedicated web server that’s ready and waiting on the NAS itself.
Convenience versus cybersecurity
Of course, the easy-to-use and ready-to-go nature of NAS devices comes with its own challenges:
- What if your NAS device ends up accessible from the internet? Even on your LAN, there’s a risk that malware on one internal device could harm data shared by all your devices, but a NAS box that’s visible from the internet is at permanent risk from potential attackers all over the world.
- What if the operating system software on the NAS has security holes? Many NAS boxes are based on a distribution of Linux that’s specific not only to the vendor but often also to the specific device. You may be unable to install updates yourself even if you are able to figure out which patches are needed, so you have to rely on the vendor for updates.
- What if the NAS web server sofware has security bugs? You don’t get to choose which web server, or which version, is used for configuring and managing the device. Once again, you typically need to rely on the vendor for security updates.
QNAP inherits bugs from Apache
QNAP’s devices generally use httpd, the popular Apache HTTP Server Project, running on a customised distro of Linux.
(Apache is the name of a software foundation that looks after a web server project amongst hundreds of others; although many people use “Apache” as shorthand for the web server, we recommend you don’t, because it’s confusing, rather like referring to Windows as “Microsoft” or to Java as “Oracle”.)
Just over a month ago, Apache released version 2.4.53 of its HTTP Server, fixing several CVE-tagged bugs, including at least two that could lead to crashes or even remote code execution (RCE).
Unfortunately, QNAP hasn’t yet pushed out the HTTP Server 2.4.53 update to its own devices, although it is now warning that two of the bugs that were fixed, CVE-2022-22721 and CVE-2022-23943, do affect some of its products.
Fortunately, exploiting those bugs relies on features in the HTTP Server code that are not enabled by default on QNAP devices, and that you can easily turn off temporarily if you have enabled them.
What to do?
The bugs and their workarounds are:
- CVE-2022-22721. A web client sending in a supersized HTTP request could cause a buffer overflow, thus provoking a server crash or even leading to an exploitable code execution hole. Check that the HTTP Server configuration setting
LimitXMLRequestBodyis set to 1MByte (the default) or below. - CVE-2022-23943. If you have turned on the Apache HTTP Server
mod_sedextension, which allows you to set up incoming and outgoing content filtering rules, you may be vulnerable to memory mismangement bugs if extrasupersized HTTP requests (bigger than 2Gbyte!) are received. We’re not sure why you would need to turnmod_sedon, but QNAP seems to think there may be customers who are using this feature. Check thatmod_sedis not enabled. (The namemod_sedis shorthand for stream editing module, meaning that it can apply text editing rules to requests as they arrive, or to replies just before they’re sent out.)
QNAP says it intends to patch its devices, promising that it “will release security updates as soon as possible”, although we don’t want to guess how soon that will be, given that Apache itself made the patches publicly available just over five weeks ago.
You can keep your eye out for QNAP updates via the company’s decently laid-out Security Advisories page.
While you’re about it, remember that it’s very unlikely that you want a NAS of your own to be accessible from the internet side of your router, because that would leave it directly exposed to automated scanning, discovery and probing by cybercriminals.
Therefore we recommend the following precautions, too:
- Don’t open your network servers up to the internet unless you really mean to. QNAP has advice on how to prevent your NAS device from receiving connections from the public internet by mistake, thus preventing your device from being accessed or even discovered in the first place. Perform a similar check for all the devices on your network, just in case you have other private devices that can inadvertently be “tickled” from the internet.
- Don’t use Universal Plug-and-Play (UPnP). UPnP sounds very useful, because it’s designed to allow routers to reconfigure themselves automatically to make setting up new devices easier. But it comes with enormous risks, namely that your router might inadvertently make some new devices visible through the router, thus opening them up unexpectedly to untrusted users on the internet. Explicitly disable UPnP on every device that supports it, including on your router itself. If you have a router with UPnP that won’t let you turn it off, get a new router.