{"id":16238,"date":"2020-10-08T16:26:28","date_gmt":"2020-10-08T14:26:28","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=16238"},"modified":"2020-10-08T16:26:28","modified_gmt":"2020-10-08T14:26:28","slug":"fix-fr-kritische-schwachstelle-in-qnap-nas-gerten-7-10-2020","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/10\/08\/fix-fr-kritische-schwachstelle-in-qnap-nas-gerten-7-10-2020\/","title":{"rendered":"Fix for critical helpdesk vulnerability in QNAP NAS devices (Oct. 7, 2020)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" align=\"left\" height=\"47\">[<a href=\"https:\/\/www.borncity.com\/blog\/2020\/10\/08\/fix-fr-kritische-schwachstelle-in-qnap-nas-gerten-7-10-2020\/\" target=\"_blank\" rel=\"noopener noreferrer\">German<\/a>]Vendor QNAP has fixed two critical vulnerabilities in its helpdesk application that could allow potential attackers to take over unpatched Network Attached Storage (NAS) devices from QNAP.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg05.met.vgwort.de\/na\/67d2e2f21b35460aa3bad517783a30c0\" width=\"1\" height=\"1\"><img loading=\"lazy\" decoding=\"async\" alt=\"\" src=\"https:\/\/vg07.met.vgwort.de\/na\/4aa6f324657f40beb1ede8fd29f75b9f\" width=\"1\" height=\"1\">On October 7, 2020, QNAP issued Security Advisory <a href=\"https:\/\/www.qnap.com\/de-de\/security-advisory\/qsa-20-08\" target=\"_blank\" rel=\"noopener noreferrer\">QSA-20-08<\/a>, which addresses the two vulnerabilities CVE-2020-2506 and CVE-2020-2507 in the helpdesk app. <a href=\"https:\/\/www.qnap.com\/en\/how-to\/tutorial\/article\/how-to-use-the-helpdesk-app-to-solve-issues-and-provide-feedback\/\" target=\"_blank\" rel=\"noopener noreferrer\">Helpdesk<\/a> is the integrated application that comes with QNAP's NAS devices and allows admins to submit help requests to the QNAP support team via the Internet.<\/p>\n<ul>\n<li>CVE-2020-2506: By exploiting this vulnerability in the access control to the helpdesk, attackers could gain control of a QNAP device.\n<li>CVE-2020-2507: If this vulnerability in helpdesk access control is exploited, attackers could also gain control of a QNAP device.<\/li>\n<\/ul>\n<p>Both vulnerabilities are classified as critical by the vendor QNAP. QNAP has fixed these vulnerabilities in Helpdesk 3.0.3 and later versions. The vendor strongly recommends updating the Helpdesk to the latest version to fix the vulnerabilities. The following steps are required to update the Helpdesk:<\/p>\n<p>1. Log on to QTS as administrator.<\/p>\n<p>2. Open the App Center, then click on the magnifying glass icon of the search so that the search box appears.<\/p>\n<p>3. Type \"Helpdesk\", then press ENTER. The Helpdesk application will appear in the search results.<\/p>\n<p>4. Click <em>Update<\/em> and wait for a confirmation to appear. If the <em>Update<\/em> button is missing, the latest version of the Helpdesk is ready to be installed. <\/p>\n<p>Confirm with OK to initiate the update of the Helpdesk. Bleeping Computer has <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/qnap-fixes-critical-flaws-that-could-lead-to-device-takeover\/\" target=\"_blank\" rel=\"noopener noreferrer\">published<\/a> a screenshot of the relevant interface. <\/p>\n<p><strong>Similar articles:<br \/><\/strong><a href=\"https:\/\/borncity.com\/win\/2020\/09\/29\/agelocker-ransomware-zielt-auf-qnap-nas-laufwerke\/\">AgeLocker Ransomware attacks QNAP NAS drives<\/a><br \/><a href=\"https:\/\/borncity.com\/win\/2020\/06\/12\/qnap-sicherheitswarnung-vor-ech0raix-ransomware\/\">QNAP Security Advisory about eCh0raix Ransomware<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Vendor QNAP has fixed two critical vulnerabilities in its helpdesk application that could allow potential attackers to take over unpatched Network Attached Storage (NAS) devices from QNAP.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[448,580,1547],"tags":[701,69],"class_list":["post-16238","post","type-post","status-publish","format-standard","hentry","category-devices","category-security","category-software","tag-device","tag-security"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/16238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=16238"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/16238\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=16238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=16238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=16238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}