QNAP backtracks on scope of critical NAS bug

The impact of a critical bug originally believed to open 30,000 QNAP network-attached storage (NAS) devices to attack, was likely overstated. Researchers now say the QNAP arbitrary code injection bug, with a CVSS score of 9.8, poses little threat to QNAP users.

Researchers at Censys, which reported last week that 98% of QNAP devices (QTS 5.0.1 and QuTS hero h5.0.1), representing over 30,000 in-use instances, were unpatched and vulnerable to attack via the internet. Censys now tells SC Media that because QNAP likely flubbed to properly identify the range of affected NAS models, zero of the company's devices appear vulnerable to attack via the critical bug (CVE-2022-27596).

Marc Light, vice president of data science and research at Censys, said researchers built their observations on what QNAP posted in it JSON-encoded attachment, along with the NVD advisory from NIST.

Light pointed out that QNAP has updated the CVE record (CVE-2022-27596) now stating that QTS 5.0.0, QTS 4.xx, QuTS hero 5.0.0 and QuTS hero 4.5x are not affected.

While some security researchers still wonder what changed for QNAP to alter its assessment, most said for now, they had to take QNAP at face value and say QNAP may have made a mistake when it comes to how many QNAP NAS devices were exposed to the internet and open to attack.

“This drastically changes the outcome of our report, as most of the devices we observed were running version 5.0.0 and version 4.3.3, both of which have now been made clear and are not vulnerable to this attack,” Light said.

Andy Doering, cosmos adversarial operator at red teaming company Bishop Fox, said while the dramatic drop from 98% to 0% might appear confusing at first, it’s the nature of the business we work in, particularly when dealing with emerging vulnerabilities.   

“While I can’t speculate on QNAPs process, this certainly seems 'best-effort' to get the most accurate patching information out before the weekend,” Doering said.

Erring on the side of caution

The vulnerability number has gone from 98% to 0%, said Light, who added that NIST has not yet updated its NVD regarding the QNAP NAS devices – CVE-2022-27596. Light recommended that companies running all versions of the QNAP NAS devices enable the auto update feature.

“The flaw in this whole thing is QNAP not saying why they changed their assessment,” said Mike Parkin, senior technical engineer at Vulcan Cyber.

Parkin added whatever comes of this case, the solution doesn’t change. He agreed with Censys that companies should enable the auto update feature. Parkin also said companies should do a regular vulnerability scan, conduct a pen test if they can afford the several thousand dollars it would cost, and follow best practices.

“What I mean here is for a company doing media services and running file transfers to not open the admin function to the public internet,” Parkin said. “A pen test could be good, but most small businesses don’t have the resources to afford that.”

QNAP network-attached storage tends to get used by IT professionals and content creators and media professionals at companies of under 1,000 employees. IT professionals use QNAP NAS to add more storage or back up servers, and media pros use QNAP NAS to store and process large video and audio files.