• September 13, 2024

Remote control execution hole

“We reported both vulnerabilities to QNAP with a four-month grace period to fix them,” said Yaniv Puyeski, an embedded software security researcher at SAM, in a blog post on Wednesday. “Unfortunately, as of the publishing of this article, the vulnerabilities have not yet been fixed.”

The two vulnerabilities were found in the NAS web server and the DLNA (Digital Living Network Alliance) server, respectively, according to Puyeski, who said SAM has withheld details about the vulnerabilities because there are tens of thousands of QNAP devices exposed to the internet.

Resolving the NAS bug is a matter of “adding input sanitizations to some core processes and library APIs,” said Puyeski.

The issue with the DLNA server, which handles UPNP requests on port 8200 via the process myupnpmediasvr, is that a remote attacker can use the server to write an arbitrary file.

Leave a Reply