- #Qnap asset upnp how to
- #Qnap asset upnp install
- #Qnap asset upnp update
- #Qnap asset upnp Patch
- #Qnap asset upnp software
You can keep your eye out for QNAP updates via the company’s decently laid-out Security Advisories page.
#Qnap asset upnp Patch
QNAP says it intends to patch its devices, promising that it “will release security updates as soon as possible”, although we don’t want to guess how soon that will be, given that Apache itself made the patches publicly available just over five weeks ago. (The name mod_sed is shorthand for stream editing module, meaning that it can apply text editing rules to requests as they arrive, or to replies just before they’re sent out.) We’re not sure why you would need to turn mod_sed on, but QNAP seems to think there may be customers who are using this feature. If you have turned on the Apache HTTP Server mod_sed extension, which allows you to set up incoming and outgoing content filtering rules, you may be vulnerable to memory mismangement bugs if extrasupersized HTTP requests (bigger than 2Gbyte!) are received. Check that the HTTP Server configuration setting LimitXMLRequestBody is set to 1MByte (the default) or below. A web client sending in a supersized HTTP request could cause a buffer overflow, thus provoking a server crash or even leading to an exploitable code execution hole.
#Qnap asset upnp update
Unfortunately, QNAP hasn’t yet pushed out the HTTP Server 2.4.53 update to its own devices, although it is now warning that two of the bugs that were fixed, CVE-2022-22721 and CVE-2022-23943, do affect some of its products.įortunately, exploiting those bugs relies on features in the HTTP Server code that are not enabled by default on QNAP devices, and that you can easily turn off temporarily if you have enabled them. Just over a month ago, Apache released version 2.4.53 of its HTTP Server, fixing several CVE-tagged bugs, including at least two that could lead to crashes or even remote code execution (RCE).
#Qnap asset upnp software
( Apache is the name of a software foundation that looks after a web server project amongst hundreds of others although many people use “Apache” as shorthand for the web server, we recommend you don’t, because it’s confusing, rather like referring to Windows as “Microsoft” or to Java as “Oracle”.) QNAP’s devices generally use httpd, the popular Apache HTTP Server Project, running on a customised distro of Linux. Once again, you typically need to rely on the vendor for security updates. What if the NAS web server sofware has security bugs? You don’t get to choose which web server, or which version, is used for configuring and managing the device.
#Qnap asset upnp install
You may be unable to install updates yourself even if you are able to figure out which patches are needed, so you have to rely on the vendor for updates.
#Qnap asset upnp how to
No need to learn how to install Linux and Samba, or to wrangle with Windows Server licences, or to specify and build a server of your own and administer it. Unlike an old-school file server, however, the operating system and file-serving software are preinstalled and preconfigured for you, as part of the device, so it Just Works. Loosely speaking, a NAS device is like an old-school file server that connects directly to your LAN, so it’s accessible and usable even if your internet connection is slow or broken.
Home and small office NAS devices, which typically range in size from that of a small dictionary to that of a large encyclopedia, provide you with the ready-to-go convenience of cloud storage, but in the custodial comfort of your own network.
QNAP, the makers of Networked Attached Storage (NAS) devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company’s products.
0 kommentar(er)
