Security vulnerabilities addressed in QTS 4.1.4 build 0804

Summary

The QTS 4.1.4 build 0804 firmware includes several security fixes. The vulnerabilities are listed below.

• Fixed a vulnerability associated with privilege escalation in “Change Password” function.
• Fixed cross-site scripting (XSS) vulnerabilities in the “Edit Account Profile” page, File Station, Syslog Viewer, and System Connection Logs.
  We would like to express our gratitude to Tony Martin, a security architect and researcher, for his discovery of the above two issues.
• Fixed a CGI vulnerability that could lead to unauthorized execution of arbitrary codes by remote users.
  Our thanks and gratitude to the discoverer: Luca Carettoni working with Beyond Security's SecuriTeam Secure Disclosure program.
• Fixed one Music Station and three File Station vulnerabilities.
  Music Station: directory traversal vulnerability.
  File Station: two vulnerabilities with authenticated directory traversal, and one XSS vulnerability with file sharing.
  We would like to express our gratitude to Peter Kostiuk, security researcher at Salesforce.com, for his discovery of this issue.
• Fixed an OpenSSH vulnerability (CVE-2015-5352).
• We recommend that you upgrade PHP to the latest version by downloading it from the App Center as this version addresses multiple vulnerabilities. To ensure reliability, users should check for compatibility before upgrading.
• We recommend that you upgrade MySQL to the latest version by downloading QMariaDB from the App Center as this version addresses multiple vulnerabilities. To ensure reliability, users should check for compatibility before upgrading.
• Fixed PPP vulnerabilities that could be exploited to execute arbitrary code and/or crash the affected application, causing a denial of service (CVE-2015-3310, CVE-2014-3158).
• Fixed various OpenSSL vulnerabilities that could allow remote attackers to cause a denial of service, validate untrusted SSL certificates, etc. (CVE-2015-4000, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, and CVE-2015-1793).
• Fixed Logjam vulnerability (CVE-2015-4000) in Apache, OpenVPN, and ProFTPD.
  The Logjam attack allows an attacker to downgrade vulnerable TLS connections using Diffie-Hellman key-exchange to 512-bit export-grade cryptography. Successful exploitation can compromise data privacy.
• Removed SSLv3 support in ProFTPD to fix the POODLE vulnerability (CVE-2014-3566).
  The POODLE vulnerability (Padding Oracle On Downgraded Legacy Encryption) affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3 and not the newer encryption mechanism, Transport Layer Security (TLS). This flaw allows a man-in-the-middle attacker to decrypt a cipher text and cause data security problems.

Recommendations

To fix these security issues, log in your NAS as an administrator, go to “Control Panel”>“Firmware Update”, and then choose to update your NAS with either live or manual update. For instructions on how to update NAS firmware, see How to update your QNAP NAS’s firmware?

If you have any questions regarding this issue, please contact us at http://helpdesk.qnap.com/