With the world still in "shellshock" from the recent bash vulnerabilities, we"re now finding that the risks go much further than installed servers and workstations, since millions of devices on the Internet also run some form of Linux. Of particular concern are personal NAS devices, since users may not take the time to try and update them, even after the recent Synolocker scare.
Based on a press release by QNAP, it looks like their NAS devices are vulnerable to the bash bug and they"re urgently requesting that all users of their products take immediate action, especially if users are sharing their devices on the Internet. The announcement specifically calls out the following services that should be immediately disconnected:
- Web administration
- Web server
- WebDAV
- Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface
It"s important to note that there have been no notifications of breaches, so this may simply be a precaution to avoid an unknown attack vector.
Synology, on the other hand, claims that most of their devices are secure from the threat. However they"re still working on updating DSM with a patch to completely remove the vulnerability.
This is once again an important reminder to keep up to date on patches and remember that anything on a network is a potential target.