====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN205
_____________________________________________________________________

DATE                : 06/04/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QNAP QTS versions prior to
                              4.3.6.1620 Build 20210322.

=====================================================================
https://www.qnap.com/en/release-notes/qts/4.3.6.1620/20210322
_____________________________________________________________________


QTS 4.3.6.1620 Build 20210322

2021-04-01
Important Notes

    To ensure system functionality, after updating QTS to 4.3.6, please
also update Container Station to 1.9 in App Center before enabling QVR
Pro.

    The RADVD service previously did not have an outgoing interface.
Please reconfigure the RADVD service after upgrading.

    Due to security concerns, support for "Wi-Fi ad-hoc mode" has been
removed.

    This QTS update changes the file system of the system partition to
ext4 for ARM-based models with Annapurna Labs processors. For data
security reasons, you are not able to downgrade QTS to a previous
version after this update. Affected models: TS-131P, TS-231P, TS-431P,
TS-531P, TS-231+, TS-431+, TS-231P2, TS-431P2, TS-431X, TS-431X2,
TS-531X, TS-831X, TS-1231XU-RP, TS-1231XU, TS-831XU-RP, TS-831XU,
TS-431XU-RP, TS-431XU, TS-431XeU, and TS-1635.

    For the status of QTS updates and maintenance for your NAS model,
visit https://www.qnap.com/en/product/eol.php

    When QTS 4.3.x is installed on NAS models running on 64-bit Intel
and AMD processors, some applications may not be supported. To check if
installed apps on your NAS are compatible with QTS 4.3.x, download the
QTS 64-bit compatibility tool and install it on your current QTS build.
(https://download.qnap.com/QPKG/CF64_0.1-1114.qpkg.zip)

    Below are the kernel versions for NAS models that are supported by
QTS 4.3.6: (1) Kernel 3.10.20: TS-128, TS-228 (2) Kernel 3.2.26: TS-x31,
TS-x31U (3) Kernel 4.2.8: all other models supported by QTS 4.3.6

    Due to the limitations of future kernel updates, QTS 4.3.6 is the
final available QTS update for the following NAS models: TS-EC1679U-SAS-
RP, TS-EC1679U-RP, TS-1679U-RP, TS-EC1279U-SAS-RP, TS-EC1279U-RP,
TS-1279U-RP, TS-1079 Pro, TS-EC879U-RP, TS-879U-RP, TS-1270U-RP,
TS-870U-RP, TS-470U-RP, TS-470U-SP, TS-879 Pro, TVS-870, TS-870 Pro,
TS-870, TVS-670, TS-670 Pro, TS-670, TVS-470, TS-470 Pro, and TS-470.

    Due to the limitations of non-expandable memory capacity and 32-bit
processor architecture, starting from QTS 4.3.6, the TS-128 and TS-228
no longer support Container Station and all the dependent applications,
including Notes Station 3, Qcontactz, QcalAgent, AWS Greengrass, and
QIoT Suite Lite.


Security Updates

    Fixed a command injection vulnerability (CVE-2020-2509).
    Fixed a vulnerability in Apache HTTP server (CVE-2020-9490).

Known Issues

    When data is being transferred to or from a QNAP external RAID
enclosure, changes to the status of a degraded RAID group might not be
visible immediately in Storage ＆ Snapshots.
    When an external RAID group is in degraded mode its read/write
performance will be greatly reduced.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================