Fix for critical helpdesk vulnerability in QNAP NAS devices (Oct. 7, 2020)

[German]Vendor QNAP has fixed two critical vulnerabilities in its helpdesk application that could allow potential attackers to take over unpatched Network Attached Storage (NAS) devices from QNAP.


Advertising

On October 7, 2020, QNAP issued Security Advisory QSA-20-08, which addresses the two vulnerabilities CVE-2020-2506 and CVE-2020-2507 in the helpdesk app. Helpdesk is the integrated application that comes with QNAP's NAS devices and allows admins to submit help requests to the QNAP support team via the Internet.

  • CVE-2020-2506: By exploiting this vulnerability in the access control to the helpdesk, attackers could gain control of a QNAP device.
  • CVE-2020-2507: If this vulnerability in helpdesk access control is exploited, attackers could also gain control of a QNAP device.

Both vulnerabilities are classified as critical by the vendor QNAP. QNAP has fixed these vulnerabilities in Helpdesk 3.0.3 and later versions. The vendor strongly recommends updating the Helpdesk to the latest version to fix the vulnerabilities. The following steps are required to update the Helpdesk:

1. Log on to QTS as administrator.

2. Open the App Center, then click on the magnifying glass icon of the search so that the search box appears.

3. Type "Helpdesk", then press ENTER. The Helpdesk application will appear in the search results.


Advertising

4. Click Update and wait for a confirmation to appear. If the Update button is missing, the latest version of the Helpdesk is ready to be installed.

Confirm with OK to initiate the update of the Helpdesk. Bleeping Computer has published a screenshot of the relevant interface.

Similar articles:
AgeLocker Ransomware attacks QNAP NAS drives
QNAP Security Advisory about eCh0raix Ransomware


Advertising

This entry was posted in devices, Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).