QNAP users: It's your turn to patch in a hurry
Miscreants downgrading firmware to vulnerable QTS boxen
QNAP has issued a critical-rated warning for devices running its QTS operating system.
According to the Friday advisory (second in this list, no direct link), malware has been discovered on devices that downloads and installs a vulnerable version of the firmware, QTS 4.2.5.
The advisory doesn't identify the bugs the attack would introduce, but says they're already known. However, in April it mentioned “multiple network vulnerabilities” in that version of the firmware.
“The malware may also potentially result in unauthorised access to NAS data,” the latest advisory says.
Users should check whether their firmware has been changed to 4.2.5, and if so, run the company's malware remover (version 2.1.2), and install QTS 4.3.3 if the device supports it; if not, users should install the latest official 4.2.5 release.
All user passwords need to be changed after the firmware upgrade.
QNAP boxen are sometimes sold under other brands, including Cisco. So no matter what it says on your small business NAS' chassis, it may be worth figuring out what's running under the hood to quash these bugs. ®