Last week, QNAP Security announced the release of the QVR 5.0.2 firmware for the VioStor NVR line. This release has two purposes: to fix a security error, and to add more compatibility for IP cameras.

QVR 5.0.2 sees the expansion of compatibility with over 200 additional IP camera models. This opens up the choices to users of this platform to over 3,000 IP cameras from 111 brands when building security systems.

Most notably, though, this patch fixes the security vulnerability known as "Shellshock," or the GNU Bash Environment Variable Command Injection Vulnerability, which allows attackers to gain remote control over UNIX/Linux systems. This leaves systems vulnerable to damage from third parties with malicious intent. These third party attackers can get into your system in seconds, causing damage that will take a considerable amount of time to repair.

QNAP Security Releases GNU Bash Patch

Last week, QNAP Security announced the release of the QVR 5.0.2 firmware for the VioStor NVR line. This release has two purposes: to fix a security error, and to add more compatibility for IP cameras.

QVR 5.0.2 sees the expansion of compatibility with over 200 additional IP camera models. This opens up the choices to users of this platform to over 3,000 IP cameras from 111 brands when building security systems.

Most notably, though, this patch fixes the security vulnerability known as "Shellshock," or the GNU Bash Environment Variable Command Injection Vulnerability, which allows attackers to gain remote control over UNIX/Linux systems. This leaves systems vulnerable to damage from third parties with malicious intent. These third party attackers can get into your system in seconds, causing damage that will take a considerable amount of time to repair.

The staff at QNAP, as well as us here at A1 Security Cameras, strongly recommend that all users upgrade their NVR to this version of the QVR firmware to protect your systems from harm. Even though the other four revealed vulnerabilities (CVE-2014-6277, CVE-2014-6278, CVE-2014-7186 and CVE-2014-7187) do not directly impact the VioStor system, QNAP still plans to release another new firmware update version to fix the security risk. Details of that release are not yet available.

The QVR 5.0.2 update is applicable to the following VioStor NVR models:

  • VS-12164U-RP Pro+/ 12156U-RP Pro+/ 12148U-RP Pro+/ 12140U-RP Pro+
  • VS-12164U-RP Pro/ 12156U-RP Pro/ 12148U-RP Pro/ 12140U-RP Pro
  • VS-8148U-RP Pro+/ 8140U-RP Pro+/ 8132U-RP Pro+/ 8124U-RP Pro+
  • VS-8148U-RP Pro/ 8140U-RP Pro/ 8132U-RP Pro/ 8124U-RP Pro
  • VS-8148 Pro+/ 8140 Pro+/ 8132 Pro+/ 8124 Pro+
  • VS-6120/ 6116/ 6112 Pro+
  • VS-6020/ 6016/ 6012 Pro
  • VS-4116/ 4112/ 4108U-RP Pro+
  • VS-4016/ 4012/ 4008U-RP Pro
  • VS-4116/ 4112/ 4108 Pro+
  • VS-4016/ 4012/ 4008 Pro
  • VS-2112/ 2108/ 2104 Pro+
  • VS-2012/ 2008/ 2004 Pro
  • VS-2108L/ VS-2104L

You can find the QVR 5.0.2 to download at QNAP's website.

QNAP Releases New QTS for Turbo NAS with Official GNU Bash Patch Update

Pomona, CA, October 5, 2014QNAP Security, today released QTS 4.1.1 Build 1003 for its Turbo NAS lineup with an official GNU Bash patch update. QNAP's security lab has verified QTS 4.1.1 Build 1003 and confirmed it has fixed all currently known Bash security vulnerabilities. All users (including those who have installed QTS 4.1.1 Build 0927 and Qfix 1.0.1) are strongly advised to upgrade their Turbo NAS to this QTS version.

QTS 4.1.1 Build 1003 has fixed the GNU Bash Environment Variable Command Injection Vulnerability (CVE-2014-6271, CVE-2014-7169, CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187), also known as "Shellshock," that can allow attackers to gain remote control over UNIX/Linux-based systems. For users who wish to continue using QTS 3.8 to 4.0, QNAP will soon release a Qfix security patch.

QTS 4.1.1 Build 1003 can be installed in the following two ways:

Live Update

QTS> Control Panel> System Settings> Firmware Update> Live Update

Manual Update

  1. Download the firmware from the QNAP website: (qnap.com/download)
  2. QTS> Control Panel>System Settings> Firmware Update> Firmware Update

This firmware is applicable to the following Turbo NAS models:

  • WTS-EC880 Pro, TS-EC1080 Pro, TS-EC880U-RP, TS-EC1280U-RP, TS-EC1680U-RP, TS-EC2480U-RP
  • TS-879 Pro, TS-1079 Pro, TS-879U-RP/EC879U-RP , TS-1279U-RP/EC1279U-RP, TS-1679U-
  • RP/EC1679U-RP, SS-EC1279U-SAS-RP, SS-EC1879U-SAS-RP, SS-EC2479U-SAS-RP
  • TS-470, TS-470 Pro, TS-670, TS-670 Pro, TS-870, TS-870 Pro
  • TS-1270U-RP, TS-870U-RP, TS-1269U-RP,TS-869U-RP, TS-269 Pro/269L, TS-469 Pro/469L, TS-469U-
  • RP/SP, TS-569 Pro/569L, TS-669 Pro/669L, TS-869 Pro/869L
  • SS-453 Pro, SS-853 Pro, TS-253 Pro, TS-453 Pro, TS-653 Pro, TS-853 Pro
  • TS-251, TS-451, TS-651, TS-851
  • HS-210, HS-251, IS-400 Pro
  • TS-121, TS-221, TS-421, TS-421U
  • TS-120, TS-220, TS-420, TS-420U
  • TS-119/119P+/119P II, TS-219/219P/219P+/219P II, TS-419P/419P+/419P II, TS-419U/419U+/419U II
  • TS-259 Pro/259 Pro+, TS-459 Pro/459 Pro+/459 Pro II, TS-459U-RP/SP, TS-459U-RP+/SP+, TS-559
  • Pro/559 Pro+/559 Pro II, TS-659 Pro/659 Pro+/659 Pro II, TS-859 Pro/859 Pro+, TS-859U/859U+
  • SS-439 Pro, SS-839 Pro, TS-239 Pro, TS-239H, TS-239 Pro II, TS-239 Pro II+, TS-439 Pro, TS-439 Pro II,
  • TS-439 Pro II+, TS-439U RP/SP, TS-639 Pro
  • TS-110, TS-210, TS-410, TS-410U
  • TS-112/112P, TS-212/212P/212-E, TS-412, TS-412U
  • TS-509 Pro, TS-809 Pro, TS-809U-RP

QNAP will soon release a patch to fix Bash security issues for the following Turbo NAS models, VioStor NVR models and NMP media players:

Turbo NAS: TS-109/209/409/409U series

VioStor NVR (QVR 5.0.2 version)

  • WVS-12164U-RP Pro+/ 12156U-RP Pro+/ 12148U-RP Pro+/ 12140U-RP Pro+
  • VS-8148U-RP Pro+/ 8140U-RP Pro+/ 8132U-RP Pro+/ 8124U-RP Pro+
  • VS-8148U-RP Pro/ 8140U-RP Pro/ 8132U-RP Pro/ 8124U-RP Pro
  • VS-8148 Pro+/ 8140 Pro+/ 8132 Pro+/ 8124 Pro+
  • VS-6120/ 6116/ 6112 Pro+
  • VS-6020/ 6016/ 6012 Pro
  • VS-4116/ 4112/ 4108U-RP Pro+
  • VS-4016/ 4012/ 4008U-RP Pro
  • VS-4116/ 4112/ 4108 Pro+
  • VS-4016/ 4012/ 4008 Pro
  • VS-2112/ 2108/ 2104 Pro+
  • VS-2012/ 2008/ 2004 Pro
  • VS-2108L/ VS-2104L

Media players: NMP-1000P, NMP-1000

The following models are not affected by Bash security vulnerabilities:

  • Turbo NAS: TS-431, TS-231, TS-131, TS-201, TS-101, TS-100
  • QGenie: QG-103N
Jun 9th 2021 richard

Recent Posts