Taipei, Taiwan, September 23, 2015 – QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Alert for XcodeGhost malware on iOS apps
Release date: September 22, 2015
Last updated: September 22, 2015
Bulletin ID: NAS-201509-22
Severity rating: Not vulnerable
Apple, in conjunction with a number of security professionals around the world are currently in the process of identifying and removing a number of apps from the App Store. These apps were compiled using a modified, non-official version of the Xcode development platform for iOS. Apps compiled from the infected Xcode may contain malware to steal sensitive user information amongst other malicious actions.
The iOS apps published by QNAP are built using official version of Xcode. No QNAP apps are affected by this issue.
For more information about this security issue, please visit: http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
If you have any questions regarding this issue, please contact us athttp://helpdesk.qnap.com/.
- Qfile and myQNAPcloud website cannot show Share Folders.
- After being set to default settings, the power recovery function does not use these settings after restarting the NAS.
- Disabling the Domain Controller does not unmount the POSIX ACL of major volumes.
- Virtualization Station fails to enter its Create VM and Preferences page.
QTS 4.2.0 Build 0918
- When testing the connection for RTRR jobs in Backup Station, an invalid username/password will be displayed.
- Converting metadata to 64GB when an iSCSI LUN is connected may cause the process to fail.
- After editing the Description of a computer in the NAS Domain Controller Page, attempting to log into that computer with a domain user will fail.
- ARM-based NAS cannot show all of the users in the trusted network in Domain Users/Groups list.
- Gmail Backup will display an error for the Data Volume size on the overview page.
- The system will restart after taking a snapshot.
- The iSCSI Target authentication will fail after restarting the NAS.
- The system will be unable to show destination pools after creating a Replication Job in Snapshot Replica.
- The tooltip will not be displayed when over mSATA and HDD icons.
- The TS-269H cannot connect to VPN Server (OpenVPN).
- If the network recycle bin is disabled, the volume from File Manager cannot be seen.
- Photos cannot be uploaded to newly-created folders in Multimedia in Photo Station 5.
- Slideshows in Photo Station 5 will not play audio.
- No downloads will occur on .torrent files after the torrent.html download is completed.
- Enabling “Restrict the access of Recycle Bin to administrators only of now” and then enabling “Enable Advanced Folder Permissions” will cause non-Administrators group users to be able to access the Recycle Bin.
- Symform fails to work after upgrading from 4.1.4 to 4.2.0.
- Video Station cannot create new thumbnails if the “Modified Date” is changed after the thumbnail is created.
- Cloud drives cannot be connected via SMB over anonymous connections.
- If a BT job contains thousands of files before upgrading, then the upgrade will take a prolonged time to complete.
- There will be no response if a folder is right clicked in File Station and the Ok button is clicked inside the Copy to wizard.
Security vulnerabilities addressed in QTS 4.1.4 Build 0910 and 4.2.0 RC2 (Build 0910)
Release date: Sep 15, 2015
Last updated: Sep 15, 2015
Bulletin ID: NAS-201509-15
Severity rating: Critical
Every QNAP NAS with firmware prior to 4.1.4 Build 0910 and 4.2.0 RC2 (Build 0910)
The QTS 4.1.4 Build 0910 firmware includes 3 security fixes. The vulnerabilities are listed below.