QNAP Warns Users to Pull Remote Access in Race to Patch Bash Shellshock Bug

QNAP today took the unprecedented step of emailing owners of its NAS devices, with an urgent warning to switch off remote Internet access on their devices.

The warning comes as news of a notorious security exploit, known as Shellshock, spreads across the world. The vulnerability affects the Bash shell application, commonly used in Linux, Unix and Mac OS X operating systems to control computers through the command line. Using the vulnerability, it could be possible for unauthorised remote users to take control of affected devices, make changes to systems and delete data.

While the software industry at large races to patch the vulnerability, the safest way to ensure your data is not at risk is to guarantee it cannot be accessed over the Internet. Many NAS vendors include software applications that open up remote access to the device, including photography storage and slideshow apps, entertainment apps as well as more obvious applications allowing remote log-in and control of the device and data.

Today’s warning reads as follows:
QNAP Encourages Users to Take Actions to Protect their Turbo NAS from Potential Bash Code Injection

Taipei, Taiwan, September 26, 2014 – QNAP® Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.

As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:

  • Web administration
  • Web server
  • WebDAV
  • Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface

Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:

  • Login to QTS and disable the Web Server in Applications
  • Login to QTS and disable the secure connection (SSL) in General Settings
  • Disable NAS web administration using a SSH utility (such as putty):
    1. Connect to the Turbo NAS with admin username and password
    2. Type the following command and hit the “Enter” key:
      /etc/init.d/thttpd.sh stop

Note: The NAS web administration will become unavailable after taking the above steps. To restore it:

  1. Restart the Turbo NAS, or
  2. Manually start the web administration via SSH by typing the following command:
    /etc/init.d/thttpd.sh start

QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at http://helpdesk.qnap.com.


QNAP have clearly taken a lead here in advising users to protect their data – we’ll let you know as and when other manufacturers announce their own responses.


Leave a Reply