QNAP, a Taiwanese NAS manufacturer, has published security fixes for several vulnerabilities that may allow attackers to remotely inject and execute malicious code and instructions on susceptible NAS devices.
The three security vulnerabilities QNAP has recently patched are stored cross-site scripting (XSS) high severity vulnerabilities (tracked as CVE-2021-34354, CVE-2021-34356, and CVE-2021-34355). They impact devices with Photo Station software that hasn’t been patched (releases before 5.4.10, 5.7.13, or 6.0.18).
“Two stored cross-site scripting (XSS) vulnerabilities have been reported to affect QNAP NAS running Photo Station. If exploited, these vulnerabilities allow remote attackers to inject malicious code. We have already fixed these vulnerabilities in the following versions of Photo Station: Photo Station 6.0.18 (2021/09/01) and later,” QNAP noted in its security advisory.
In addition, QNAP fixed a stored XSS Image2PDF issue that affected devices running software versions prior to Image2PDF 2.1.5. Threat actors can use stored XSS attacks to inject malicious code remotely and store it on the targeted servers indefinitely after successful exploitation.
The company has also fixed a command injection flaw (CVE-2021-34352) affecting some QNAP end-of-life (EOL) devices using the QVR IP video surveillance software that allows attackers to run arbitrary instructions.
Successful attacks using the CVE-2021-34352 issue might result in NAS devices being fully taken over.
Given the continual stream of attacks that QNAP NAS devices have been subjected to in recent years, customers should upgrade both applications to the most recent accessible versions ASAP.
It is recommended to follow the official method to upgrade Photo Station and Image2PDF on NAS devices to the current version.
Previously, in September 2020, QNAP issued a warning about a rise in ransomware attacks encrypting files on publicly accessible NAS storage devices. At the time, QNAP users’ devices were infected by AgeLocker ransomware which targeted older unpatched versions of Photo Station, an application used for uploading images, making albums, and viewing them remotely.