====================================================================

                              CERT-Renater

                   Note d'Information No. 2016/VULN303
_____________________________________________________________________

DATE                : 29/08/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): QTS firmware versions prior to 4.2.0, 4.2.1, 4.2.2.

======================================================================
https://www.qnap.com/en/support/con_show.php?cid=96
_____________________________________________________________________

Security Alert for Reported Vulnerabilities in QTS

Release date: August 26, 2016
Last updated: August 26, 2016
Bulletin ID: NAS-201608-26
Severity rating: High
Affected products:

     All QNAP NAS running QTS firmware version 4.2.0, 4.2.1, or 4.2.2

Summary

QNAP is currently investigating several vulnerabilities reported by
SySS GmbH, an IT security company. The reported vulnerabilities expose
systems to compromise through cross-site scripting, command injection,
and arbitrary file overwriting. Successful exploitations grant
attackers administrator access to the compromised NAS. However, these
vulnerabilities are not easily exploited.

We will update QTS and then release fixes as soon as possible. In the
meantime, users must enable secure connection on the QTS Control Panel,
and use the latest versions of Google Chrome or Microsoft Internet
Explorer whenever accessing the QTS desktop from a web browser. We also
recommend installing antivirus software and avoiding untrusted websites.

Enabling HTTPS Connection

     Go to Control Panel > System Settings > General Settings > System 
Administration.
     Select the following:
     - Enable secure connection (HTTPS)
     - Force secure connection (HTTPS) only
     Click Apply.


If you have any questions regarding this issue, please contact us at
https://helpdesk.qnap.com/

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================