QNAP’s Buggy Security Fix Causes Chaos
2024-11-26 22:54:57 Author: securityboulevard.com(查看原文) 阅读量:1 收藏

Three tiny people cleaning the inside of a hard driveNAS maker does a CrowdStrike—cleanup on /dev/dsk/c1t2d3s4  please

Storage queens QNAP squashed some vulns last week, but the cure was worse than the disease. After applying the update, users found they couldn’t log in to their networked disk arrays, nor use many of the products’ features.

The firm stresses that the problems only affected some of its products. In today’s SB  Blogwatch, we’re thankful for small mercies.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  Don’t you reggae?

RAID FAIL

What’s the craic? Sergiu Gatlan reports: QNAP pulls buggy QTS firmware causing widespread NAS issues

QNAP recommends downgrading
QTS 5.2.2.2950 build 20241114, the buggy firmware causing these issues, was released … to patch multiple security vulnerabilities. [But] it also breaks various NAS features and capabilities, including the ability to connect to updated devices, … showing “Your login credentials are incorrect or account is no longer valid” errors—even after resets.

QNAP’s support team has replied to some affected customers, saying that the update has been removed from the downloaded page of impacted NAS models. QNAP recommends downgrading the firmware to QTS 5.2.1.2930 build 2024102, which should resolve the … issues.

And Dan Robinson quips: QNAP NAS users locked out after firmware update

Re-released a stable version
The Taiwan-based storage biz specializes in NAS kit and offers a whole portfolio of models to address various needs. However, users are complaining of issues following a firmware release that went out to some products last week.

The firmware upgrade was removed for some models sometime after it was released, yet … QNAP has failed to disclose which models were affected. … A QNAP spokesperson told us, “We recently released the QTS 5.2.2.2950 build 20241114 operating system update and received feedback from some users. … In response, QNAP promptly withdrew the operating system update … and re-released a stable version of QTS 5.2.2.2950 build 20241114.”

Horse’s mouth? QNAP® SNAFU PR BBQ LOL: QNAP Addresses Recent QTS 5.2.2 Operating System Update Issues

QNAP® Systems, Inc. … received feedbacks from some users reporting issues with device functionality after installation [of] QTS 5.2.2.2950 build 20241114. [It] affected … HS-453DX, TBS-453DX, TS-251D, TS-253D, TS-653D, TS-453D, TS-453Dmini, TS-451D, TS-451D2. Other NAS models running this version remain unaffected.

Security updates considered risky? NimbleSquirrel prefers not living on the bleeding edge:

This is not the first time: QNAP seem to have a history of pushing out bad firmware updates. … I do update my stuff, but I need to know an update is reliable before I go live with it. That is not much to ask.

After the Deadbolt ransomware, QNAP started enabling automatic updates by default. If you updated your firmware, QNAP enabled automatic updating regardless of whether you had it enabled or disabled prior. They didn’t tell anyone. You just had to know that you needed to manually disable automatic updates each time you did an update.

About three years ago QNAP pushed a dodgy update that failed and corrupted my RAID array. I wasn’t the only one affected. Luckily I was able to recover most of my data.

Delaying an update might be just as risky. ITMA agrees and has advice for big Q:

I don’t generally upgrade firmware as soon as it is released. Best to let others find any “show stoppers” first.

QNAP have done themselves no favours in the way this has been communicated: … Trying to hide “bad news” does nothing but piss customers off. If you want to take them with you, be open and honest and keep them informed.

Tough love. And u/kissmyash933 has this sick burn:

No surprise there. We had a QNAP at the last place I worked and I swear that every time we touched it for any reason it blew up in our faces. I remember having to take a day off our weekend one time to try and get it standing back up.

We got there, but in that moment I decided I’d never spend money on QNAP anything. … I’ve had some Synology issues over the years too, but they’re rare and nowhere near the disaster that QNAP was.

But what’s with those weird version numbers? KeithH rants thuswise:

According to QNAP, the fixed version has the same build identifier. … For the love of all that is good and proper, you don’t re-use a build number!

This is sloppy sloppy sloppy release management. It may not be as globally disastrous as CrowdStrike but it demonstrates just as much negligence on the part of the vendor. I’m waiting for the next release and am going to let it soak out in the wild before I apply it.

Come again? A slightly sarcastic Marty McFly spots the fly in the McOintment: [You’re fired—Ed.]

“We recently released the QTS 5.2.2.2950 build 20241114 operating system update … and re-released a stable version of QTS 5.2.2.2950 build 20241114.”

Sooo — they didn’t change the version & build numbers to make it obvious. ThAt’S hElPfUl.

Or not. u/zrgardne despairs:

How is QNAP still in business?

To be fair, this could happen to any manufacturer. What’s a cautious tech to do? anoncoward69 has nice advice:

Glad I keep two QNAP NAS devices. Primary one rsyncs to the Secondary one overnight. That way if some **** like this happens, I’m not locked out of my data. When it comes to firmware updates I always apply them to the Secondary one, … give it about a week to make sure there are no issues before updating the Primary.

Meanwhile, what have we learned today? Doctor Syntax makes like a pedagogue:

“Only a limited number of NAS models were affected.” Same old same old. Do they not realise that for someone who has one of them it’s not a limited number? It’s 100% of what they’ve got. Anyone who trots out this ancient piece of PR verbiage should … stop and think about what they’re saying to potential customers.

And Finally:

Give Thanks for this masterpiece

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Samu Lopez (via Unsplash; leveled and cropped)

Recent Articles By Author


文章来源: https://securityboulevard.com/2024/11/qnap-bad-patch-richixbw/
如有侵权请联系:admin#unsafe.sh