Security Advisory for Arbitrary File Copy Vulnerability in mod_copy in ProFTPD (CVE-2019-12815)

Summary

An arbitrary file copy vulnerability in mod_copy in ProFTPD allows for remote code execution and information disclosure without authentication (CVE-2019-12815).

QNAP has verified that the ProFTPD used in QTS does not involve mod_copy, and therefore QNAP NAS devices are not affected by this vulnerability.

Recommendation

Although this issue does not affect QNAP NAS, we still recommend following these steps to enhance the security of your device.

1. Update QTS to the latest available version.
2. Install and update Malware Remover to the latest version.
3. Install and update Security Counselor to the latest version.
4. Use a stronger admin password.
5. Enable IP and account access protection to prevent brute force attacks.
6. Disable SSH and Telnet connections if you are not using these services.
7. Avoid using default port numbers 443 and 8080.

Note:
Malware Remover (supported by QTS 4.2 and later) and Security Counselor (supported by QTS 4.3.5 and later) may not be available on older QNAP NAS models. You can check the product support status of your NAS model.

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Installing and Running the Latest Version of Malware Remover

1. Log on to QTS as administrator.
2. Open the App Center and then click the Search icon.
   A search box appears.
3. Type “Malware Remover” and then press ENTER.
   Malware Remover appears in the search results.
4. Click Install or Update.
   A confirmation message appears.
5. Click OK.
   QTS installs the latest version of Malware Remover.
6. Open Malware Remover.
7. Click Start Scan.
   Malware Remover scans the NAS for malware.

Installing and running the latest version of Security Counselor

1. Log on to QTS as administrator.
2. Open the App Center, and then click the Search icon.
   A search box appears.
3. Type “Security Counselor” and then press ENTER.
   Security Counselor appears in the search results.
4. Click Install or Update.
   A confirmation message appears.
5. Click OK.
   QTS installs the latest version of Security Counselor.
6. Open Security Counselor.
7. Click Scan.
   Security Counselor scans the NAS for rules.

Changing the Device Password

1. Log on to QTS as administrator.
2. Click the profile picture on the QTS Task Bar.
   The Options window opens.
3. Click Change Password.
4. Specify the old password.
5. Specify the new password.
   QNAP recommends using the following criteria to improve password strength:
   
   • Should be at least 8 characters in length
   • Should include both uppercase and lowercase characters
   • Should include at least one number and one special character
   • Must not be the same as the username or the username reversed
   • Must not include characters that are consecutively repeated three or more times
6. Verify the new password.
7. Click Apply.

Enabling IP and Account Access Protection

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Security.
3. Select IP Access Protection.
4. Enable SSH and HTTP(s) access protection.
1. Select SSH and HTTP(S).
2. Specify time periods and the number of failed login attempts.
5. Select Account Access Protection.
6. Enable SSH and HTTP(s) access protection.
1. Select SSH and HTTP(S).
2. Specify time periods and the number of failed login attempts.
7. Click Apply.

Disabling SSH and Telnet Connections

1. Log on to QTS as administrator.
2. Go to Control Panel > Network & File Services > Telnet/SSH.
3. Deselect Allow Telnet connection.
4. Deselect Allow SSH connection.
5. Click Apply.

Changing the System Port Number

1. Log on to QTS as administrator.
2. Go to Control Panel > System > General Settings > System Administration.
3. Specify a new system port number.
   Warning: Do not use 443 or 8080.
4. Click Apply.