QNAP has addressed a critical security vulnerability in their Surveillance Station app that, if exploited, would allow an unauthorized user to execute malicious code remotely on a network-attached-storage (NAS) device that runs the vulnerable software. Surveillance Station is the QNAP’s network surveillance Video Management System (VMS), a software solution that allows users to manage and monitor up to 12 IP cameras. The security flaw is a stack-based buffer overflow vulnerability that impacts QNAP NAS devices that are running Surveillance Station. QNAP has fixed the vulnerability in the following software versions: Surveillance Station 5.1.5.4.3, 5.1.5.3.3, ARM CPU NAS 32-bit and 64-bit OS’s, and both 32 and 64 Bit X86 CPU NAS’s. QNAP also patched a medium severity cross-site scripting (XSS) vulnerability. This bug was addressed in Photo Station 6.0.11 and later versions.
Analyst Notes
Given the vulnerability’s severity, users of the QNAP systems are highly recommended to update their systems as soon as possible. IT administrators recommended looking for and applying security updates as soon as they become available so that their systems are as up to date as possible. NAS devices are regularly targeted devices because they routinely contain sensitive information that is too important to be kept on individual machines, and they are often connected to networks or exposed directly to the Internet for convenience.
Source article: https://www.bleepingcomputer.com/news/security/qnap-patches-critical-vulnerability-in-surveillance-station-nas-app/?&web_view=true