QNAP systems has released patches with the intent to address multiple vulnerabilities influencing its products. This includes a critical-severity bug potentially leading to unauthenticated device accessibility, allowing users to compromise systems security through a network. The released patches have solved the issue. 

Security leaders weigh in

Casey Ellis, Founder and Chief Strategy Officer at Bugcrowd:

“NAS software is incredibly complex, and complexity brings with it the increased likelihood of vulnerabilities. It’s good to see that QNAP are being proactive about patching and alerting on these bugs. However, it is equally important that users of “easy to set-and-forget” products, such as NAS devices, be diligent about installing them. Or, even better, configuring automatic updates whenever possible.”

Bud Broomhead, CEO at Viakoo:

“As IoT devices often are, QNAP NAS devices reside in many parts of an organization and often are managed outside of IT.  While QNAP deserves credit for finding and issuing patches ahead of vulnerabilities being exploited, there will likely be a significant time lag before QNAP devices in the field are secured. 

Because QNAP NAS devices are high volume IoT devices deployed outside of IT, knowing that you have them and where they are can often be a challenge. Using agentless asset and application-discovery solutions can give organizations a huge advantage in addressing these threats.  

One might ask why with a high severity score QNAP does not simply force the patch to be updated on all devices.  That’s the problem with IoT devices; patching often needs to be scheduled and coordinated so that downtime does not impact operations (you don’t want to take the NAS drive offline if it’s supporting heart surgery).  Automated IoT patching mechanisms where the end user can set schedules for updates is what is needed to ensure threat actors can’t take advantage of these vulnerabilities.