Received this by email today. Is this something I should be taking seriously?
QNAP Encourages Users to Take Actions to Protect their Turbo NAS from Potential Bash Code Injection
Taipei, Taiwan, September 26, 2014 – QNAP® Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.
As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:
Web administration
Web server
WebDAV
Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface
Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:
Login to QTS and disable the Web Server in Applications
Login to QTS and disable the secure connection (SSL) in General Settings
Disable NAS web administration using a SSH utility (such as putty):
Connect to the Turbo NAS with admin username and password
Type the following command and hit the "Enter" key:
/etc/init.d/thttpd.sh stop
Note: The NAS web administration will become unavailable after taking the above steps. To restore it:
Restart the Turbo NAS, or
Manually start the web administration via SSH by typing the following command:
/etc/init.d/thttpd.sh start
QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at http://helpdesk.qnap.com.
About QNAP
QNAP Systems, Inc., as its brand promise "Quality Network Appliance Provider" , aims to deliver comprehensive offerings of cutting edge network attached storage (NAS) and network video recorder (NVR) solutions featured with ease-of-use, robust operation, large storage capacity, and trustworthy reliability. QNAP integrates technologies and designs to bring forth quality products that effectively improve business efficiency on file sharing, virtualization applications, storage management and surveillance in the business environments, as well as enrich entertainment life for home users with the offering of a fun multimedia center experience. Headquartered in Taipei, QNAP delivers its solutions to the global market with nonstop innovation and passion.
Media Contacts
marketing@qnap.com
Tel: +886-2-2641-2000
QNAP Encourages Users to Take Actions to Protect their Turbo NAS from Potential Bash Code Injection
Taipei, Taiwan, September 26, 2014 – QNAP® Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.
As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:
Web administration
Web server
WebDAV
Photo Station, Music Station, File Station, and any other NAS app that uses a web-based interface
Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:
Login to QTS and disable the Web Server in Applications
Login to QTS and disable the secure connection (SSL) in General Settings
Disable NAS web administration using a SSH utility (such as putty):
Connect to the Turbo NAS with admin username and password
Type the following command and hit the "Enter" key:
/etc/init.d/thttpd.sh stop
Note: The NAS web administration will become unavailable after taking the above steps. To restore it:
Restart the Turbo NAS, or
Manually start the web administration via SSH by typing the following command:
/etc/init.d/thttpd.sh start
QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at http://helpdesk.qnap.com.
About QNAP
QNAP Systems, Inc., as its brand promise "Quality Network Appliance Provider" , aims to deliver comprehensive offerings of cutting edge network attached storage (NAS) and network video recorder (NVR) solutions featured with ease-of-use, robust operation, large storage capacity, and trustworthy reliability. QNAP integrates technologies and designs to bring forth quality products that effectively improve business efficiency on file sharing, virtualization applications, storage management and surveillance in the business environments, as well as enrich entertainment life for home users with the offering of a fun multimedia center experience. Headquartered in Taipei, QNAP delivers its solutions to the global market with nonstop innovation and passion.
Media Contacts
marketing@qnap.com
Tel: +886-2-2641-2000