{"id":2037597,"date":"2024-11-26T09:54:57","date_gmt":"2024-11-26T14:54:57","guid":{"rendered":"https:\/\/securityboulevard.com\/?p=2037597"},"modified":"2024-11-26T10:00:42","modified_gmt":"2024-11-26T15:00:42","slug":"qnap-bad-patch-richixbw","status":"publish","type":"post","link":"https:\/\/securityboulevard.com\/2024\/11\/qnap-bad-patch-richixbw\/","title":{"rendered":"QNAP\u2019s Buggy Security Fix Causes Chaos"},"content":{"rendered":"
\"Three<\/a>NAS maker does a CrowdStrike\u2014cleanup on \/dev\/dsk\/c1t2d3s4\u202f\u202fplease<\/strong><\/h5>\n

Storage queens QNAP squashed some vulns last week, but the cure was worse than the disease.<\/strong> After applying the update, users found they couldn\u2019t log in to their networked disk arrays, nor use many of the products\u2019 features.
\n
\nThe firm stresses that the problems only affected some<\/i> of its products.<\/strong> In today\u2019s SB\u202f\u202fBlogwatch<\/a>, we\u2019re thankful for small mercies.
\n
\nYour humble blog\u00adwatcher<\/a> curated these bloggy bits for your enter\u00adtain\u00adment. Not to mention:\u202f\u202fDon\u2019t you reggae?<\/i>
\n<\/p>\n

RAID FAIL<\/h2>\n

What\u2019s the craic?<\/strong> Sergiu Gatlan reports: QNAP pulls buggy QTS firmware causing widespread NAS issues<\/a><\/p>\n

\u201cQNAP recommends downgrading<\/tt>\u201d<\/strong>
\nQTS 5.2.2.2950 build 20241114, the buggy firmware causing these issues, was rel\u00adeased\u202f\u2026\u202fto patch multiple security vulnerabilities. [But] it also breaks various NAS features and capabilities, including the ability to connect to updated dev\u00adices,\u202f\u2026\u202fshow\u00ading “Your login credentials are incorrect or account is no longer valid” errors\u2014even after resets.
\n\u2026
\nQNAP’s support team has replied to some affected customers, saying that the update has been removed from the downloaded page of impacted NAS models. QNAP recommends downgrading the firmware to QTS 5.2.1.2930 build 2024102, which should resolve the\u202f\u2026\u202fissues.
\n<\/p>\n

And<\/strong> Dan Robinson quips: QNAP NAS users locked out after firmware update<\/a><\/p>\n

\u201cRe-released a stable version<\/tt>\u201d<\/strong>
\nThe Taiwan-based storage biz specializes in NAS kit and offers a whole portfolio of models to address various needs. However, users are complaining of issues following a firmware release that went out to some products last week.
\n\u2026
\nThe firmware upgrade was removed for some models sometime after it was released, yet\u202f\u2026\u202fQNAP has failed to disclose which models were affected. \u2026 A QNAP spokesperson told us, “We recently released the QTS 5.2.2.2950 build 20241114 operating system update and received feedback from some users. \u2026 In response, QNAP promptly withdrew the operating system update\u202f\u2026\u202fand re-released a stable version of QTS 5.2.2.2950 build 20241114.”
\n<\/p>\n

Horse\u2019s mouth?<\/strong> QNAP\u00ae SNAFU PR BBQ LOL: QNAP Addresses Recent QTS 5.2.2 Operating System Update Issues<\/a><\/p>\n

QNAP\u00ae Systems, Inc.\u202f\u2026\u202freceived feedbacks from some users reporting issues with device functionality after installation [of] QTS 5.2.2.2950 build 20241114. [It] affected\u202f\u2026\u202fHS-453DX, TBS-453DX, TS-251D, TS-253D, TS-653D, TS-453D, TS-453Dmini, TS-451D, TS-451D2. Other NAS models running this version remain unaffected.
\n<\/p>\n

Security updates considered risky?<\/strong> NimbleSquirrel<\/a> prefers not living on the bleeding edge:<\/p>\n

This is not the first time: QNAP seem to have a history of pushing out bad firmware updates. \u2026 I do update my stuff, but I need to know an update is reliable before I go live with it. That is not much to ask.
\n\u2026
\nAfter the Deadbolt ransomware, QNAP started enabling automatic updates by default. If you updated your firmware, QNAP enabled automatic updating regardless of whether you had it enabled or disabled prior. They didn’t tell anyone. You just had to know<\/i> that you needed to manually disable automatic updates each time you did an update.
\n\u2026
\nAbout three years ago QNAP pushed a dodgy update that failed and corrupted my RAID array. I wasn’t the only one affected. Luckily I was able to recover most of my data.
\n<\/p>\n

Delaying an update might be just as risky.<\/strong> ITMA<\/a> agrees and has advice for big Q:<\/p>\n

I don’t generally upgrade firmware as soon as it is released. Best to let others find any “show stoppers” first.
\n\u2026
\nQNAP have done themselves no favours in the way this has been communicated:\u202f\u2026\u202fTrying to hide “bad news” does nothing but piss customers off. If you want to take them with you, be open and honest and keep them informed.
\n<\/p>\n

Tough love.<\/strong> And u\/kissmyash933<\/a> has this sick burn:<\/p>\n

No surprise there. We had a QNAP at the last place I worked and I swear that every time we touched it for any reason it blew up in our faces. I remember having to take a day off our weekend one time to try and get it standing back up.
\n\u2026
\nWe got there, but in that moment I decided I\u2019d never spend money on QNAP anything. \u2026 I\u2019ve had some Synology issues over the years too, but they\u2019re rare and nowhere near the disaster that QNAP was.
\n<\/p>\n

But what\u2019s with those weird version numbers?<\/strong> KeithH<\/a> rants thuswise:<\/p>\n

According to QNAP, the fixed version has the same build identifier<\/i>. \u2026 For the love of all that is good and proper, you don’t re-use a build number!
\n\u2026
\nThis is sloppy sloppy sloppy release management. It may not be as globally disastrous as CrowdStrike but it demonstrates just as much negligence on the part of the vendor. I’m waiting for the next release and am going to let it soak out in the wild before I apply it.
\n<\/p>\n

Come again?<\/strong> A slightly<\/i> sarcastic Marty McFly<\/a> spots the fly in the McOintment:\u00a0[You\u2019re fired\u2014Ed.]<\/em><\/p>\n

“We recently released the QTS 5.2.2.2950 build 20241114 operating system update\u202f\u2026\u202fand re-released a stable version of QTS 5.2.2.2950 build 20241114.”
\n\u2026
\nSooo \u2014 they didn’t change the version & build numbers to make it obvious. ThAt’S hElPfUl.<\/i>
\n<\/p>\n

Or not.<\/strong> u\/zrgardne<\/a> despairs:<\/p>\n

How is QNAP still in business?
\n<\/p>\n

To be fair, this could happen to any manufacturer.<\/strong> What\u2019s a cautious tech to do? anoncoward69<\/a> has nice advice:<\/p>\n

Glad I keep two QNAP NAS devices. Primary one rsyncs to the Secondary one overnight. That way if some **** like this happens, I’m not locked out of my data. When it comes to firmware updates I always apply them to the Secondary one,\u202f\u2026\u202fgive it about a week to make sure there are no issues before updating the Primary.
\n<\/p>\n

Meanwhile,<\/strong> what have we learned today? Doctor Syntax<\/a> makes like a pedagogue:<\/p>\n

“Only a limited number of NAS models were affected.” Same old same old. Do they not realise that for someone who has one of them it’s not a limited number? It’s 100% of what they’ve got. Anyone who trots out this ancient piece of PR verbiage should\u202f\u2026\u202fstop and think about what they’re saying to potential customers.
\n<\/p>\n

And Finally:<\/h4>\n

Give Thanks for this masterpiece<\/a><\/b>