Last week QNAP announced a solution for . On May 27 QNAP has published an update against security vulnerabilities that could affect specific versions (All NAS running QTS) of QNAP products.

QNAP Security Advisory for Samba Writable Share Vulnerability

QNAP Security Advisory for Samba Writable Share Vulnerability

FOR THE LATEST UPDATE (06/02/2017) PLEASE SEE THE BOTTOM OF THE PAGE

Last week QNAP announced a solution for . On May 27 QNAP has published an update against security vulnerabilities that could affect specific versions (All NAS running QTS) of QNAP products.

Samba team has realeased an advisory for writable share vulnerability (CVE-2017-7994) that allow users with write access to shared library then execute malicious code.

QNAP is still working on a fix and planning to release an update for coming days. Here are some temporary solutions for this vulnerability that are found so far.

Models need to be updated

VS-2108-PRO+ , VS-2104-PRO+ , VS-4116-PRO+ , VS-2104L , VS-4116U-RP-Pro+ , QNAP VS-2108L
VS-6120-PRO+ , VS-12164U-RP-Pro+ , VS-2112-Pro+ , VS-8148U-RP-Pro+ , VS-8132U-RP-Pro+ ,
VS-8124U-RP-Pro+ , VS-4108-PRO+ , VS-4112-PRO+ , VS-12140U-RP-Pro+ , VS-8132-PRO+ ,
VS-6116-PRO+ , VS-8124-PRO+ , VS-12148U-RP-Pro+ , VS-6112-PRO+ , VS-8148-PRO+ ,
VS-8140U-RP-Pro+ , VS-12156U-RP-Pro+ , VS-8140-PRO+ , VS-4108U-RP-Pro+ ,
VS-4112U-RP-Pro+ , VS-2208-Pro+ , VS-2204-Pro+ , VS-2212-Pro+ , VS-6016 Pro VioStor ,
VS-6012 Pro VioStor

QNAP is still working on a fix and planning to release an update for coming days.
Here are some temporary solutions for this vulnerability that are found so far.

If you have a x86 NAS (Intel/AMD CPUs) and QTS 4.3.x, please install these patches.

PATCHES

a) TS-x69 Pro, x69L, x69U series
b) Other NAS x86_64 series
c)ARM Marvell Kirkwood: (X10 / X12 / X19 / X20 / X21 series)
d) ARM Annapurna Labs, V71 :(X31+ / X31P / X31X / X31XU / X28 / TAS-X68 series)
e)ARM Comcerto 2000 EVM (armv7l): (X31 / 31U series)

For other QTS versions and NAS platforms, you may use the following workaround until further patches are provided.
The guide can also be downloaded PDF.

1. Download and run putty.exe (the SSH and Telnet client itself) from

2. Enter the NAS IP address in “Host Name (or IP address)” and click Open

3. If a dialog prompt pops up, click Yes

4. Enter admin as the username and type in the password
(the password will not be displayed as you enter it)

5. Now you are at the NAS command prompt and can enter commands

6. Enter the following command: (all on a single line)
==================================================
cp /etc/config/smb.conf /etc/config/smb.conf.copy;sed -i '/^nt pipe support/d' /etc/config/smb.conf;sed -i '/\[global\]/ant pipe support = no' /etc/config/smb.conf;/etc/init.d/smb.sh restart
==================================================

7. After executing the command, shared folders will not appear when accessing the NAS using the NAS IP address in Windows File Explorer. The following error message will be displayed.

8. To access shared folders using File Explorer, you must use the full folder path. For example: \\\public.

9. After applying the workaround, if you see the following error message when using the full folder path (e.g. \\\public), restarting your computer will resolve the problem.

10. If you want to reverse these settings, run these commands: (all on a single line)
==================================================
mv /etc/config/smb.conf.copy /etc/config/smb.conf;sed -i '/^nt pipe support/d' /etc/config/smb.conf;/etc/init.d/smb.sh restart
==================================================

QNAP has released the following security fixes. (06/02/2017)

  • Qfix for the Samba Writable Share Vulnerability on QTS 4.3.x: Upgrade to QTS 4.3.3 before installing the Qfix.
  • Qfix for the Samba Writable Share Vulnerability on QTS 4.2.x: Upgrade to QTS 4.2.6 before installing the Qfix.

Installing an Update

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.

Tip: You can also download the build from the QNAP website. Go to Support > Download and then perform a manual update.

Downloading the Qfix

  1. Go to download.qnap.com.
  2. Specify the number of bays and the NAS model.
  3. Under Firmware, locate the Qfix.
  4. Under Download, click your region.
  5. Locate and unzip the compressed file.

Installing the Qfix

  1. Log on to QTS as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Firmware Update, click Browse and then locate the Qfix file.
  4. Click Update System.Seth ADAMS

Seth ADAMS

Bestselling QNAP Product

Sold out

The QVP-21A QVR Pro appliance is a tower-based network surveillance server that supports real-time video/audio monitoring, high-resolution recording, and playback from multiple IP cameras. Users can easily monitor cameras from different platforms (Windows, Mac and mobile devices), making it easier for businesses, offices, and home users to safeguard their property and possessions.

Key Features:

  • 2 Bay NVR,
  • 8CH (Max Channels: 16),
  • VMS built-in, I
  • HDMI output for local display
  • Intel Celeron J1900 4-core 2.0GHz,
  • 8GB RAM,
  • SATA 6Gb/s,
  • GbE LAN x 2

Nov 11th 2020 Tony

Recent Posts