My window to the world


Your NAS and the Bash vulnerability

By Mauricio Freitas, in , posted: 27-Sep-2014 11:30

If you have a home theatre, or run a small business you likely have a Network Attached Storage (NAS) devices around. Or even if you just have a huge collection of photos and share the storage with other computers at home.

Over time these devices evolved from simple storage that you could access through your network to full computers, running web services, streaming, databases, even virtual machines (just check the TS-451 I had here for a while).

Obviously being a full computer we have to treat these endpoints as potential weak links – and the recently disclosed GNU Bash vulnerability is affecting at least one NAS vendor, according to an email just received. I would believe other vendors are also impacted but I have not seen any documentation yet.

If you have a NAS at home (or run any UNIX-like operating systems including Linux, BSD, and Mac OS X) then you should really look for a patch/update for your system and get this fixed.

Here’s the email QNAP sent to their customers:

QNAP Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.

As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:

  • Web administration
  • Web server
  • WebDAV
  • Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface
Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:
  • Login to QTS and disable the Web Server in Applications
  • Login to QTS and disable the secure connection (SSL) in General Settings
  • Disable NAS web administration using a SSH utility (such as putty): 
    • Connect to the Turbo NAS with admin username and password
    • Type the following command and hit the "Enter" key: /etc/init.d/thttpd.sh stop
Note: The NAS web administration will become unavailable after taking the above steps. To restore it:
  • Restart the Turbo NAS, or
  • Manually start the web administration via SSH by typing the following command: /etc/init.d/thttpd.sh start

QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at http://helpdesk.qnap.com.

UPDATE: Here’s Synology’s page on affected NAS models.



Other related posts:
Microsoft Ignite New Zealand, Microsoft Surface Studio
Geekzone data analytics with Power BI
Now with more fibre






comments powered by Disqus

freitasm's profile

Mauricio Freitas
Wellington
New Zealand


I live in New Zealand and my interests include mobile devices, good books, movies and food of course! 

I'm the Geekzone admin. On Geekzone we publish news, reviews and articles on technology topics. The site also has some busy forums.

Subscribe now to my blog RSS feed or the Geekzone RSS feed.

If you want to contact me, please use this page or email me freitasm@geekzone.co.nz. Note this email is not for technical support. I don't give technical support. You can use our Geekzone Forums for community discussions on technical issues.

Here's is my full disclosure post.

A couple of blog posts you should read:

Social networks presence

View Mauricio Freitas's profile on LinkedIn


My Blog by tags...

Blog...
Entrepreneurship...
Media...
Personal...
State of Browsers...
Technology...
Viral Marketing...
Web Performance Optimization...
Windows...
Windows Phone...

Other recent posts in my blog

Microsoft Ignite New Zealand, ...
If the headlines indicate the ...
Geekzone data analytics with P...
State of browsers Geekzone Mar...
2Cheap Cars discussion...
Now with more fibre...
Unlimited is not unlimited: Vo...
How bad is Vodafone cable at t...
Frustrated with Microsoft Fami...
State of browsers Geekzone Mar...

New posts on Geekzone