Connect with us

Technology

QNAP caught napping as disclosure delay expires, critical NAS bugs revealed • The Register

Voice Of EU

Published

on

Some QNAP network attached storage devices are vulnerable to attack because of two critical vulnerabilities, one that enables unauthenticated remote code execution and another that provides the ability to write to arbitrary files.

The vulnerabilities were made known to the Taiwan-based company on October 12, 2020, and on November 29, 2020, by SAM Seamless Network, a connected home security firm. They were found in the QNAP TS-231‘s latest firmware, version 4.3.6.1446, which SAM claims was released on September 29, 2020, and QNAP’s website list as October 7, 2020 – which may represent different build numbers.

“We reported both vulnerabilities to QNAP with a four-month grace period to fix them,” said Yaniv Puyeski, an embedded software security researcher at SAM, in a blog post on Wednesday. “Unfortunately, as of the publishing of this article, the vulnerabilities have not yet been fixed.”

malware

Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware cruises along at 62,000 infections

READ MORE

On Thursday, however, QNAP released TS-231 firmware version 4.3.6.1620, which addresses a command injection vulnerability (CVE-2020-2509) and a vulnerability in Apache HTTP server (CVE-2020-9490). The release notes also say that support for “Wi-Fi ad-hoc mode” has been removed due to security concerns.

The command injection flaw (CVE-2020-2509) is one of the vulnerabilities SAM reported.

The other, according to ThreatPost, has been designated CVE-2021-36195, which is not cited in QNAP’s release notes.

It seems current, non-legacy hardware running firmware prior to QTS 4.5.2.1566 (build 20210202) and QTS 4.5.1.1495 (build 20201123) may also be vulnerable to the remote code execution bug and should be patched with QTS 4.5.2.1566 (ZIP) or QTS 4.5.1.1495 (ZIP), as applicable.

The two vulnerabilities were found in the NAS web server and the DLNA (Digital Living Network Alliance) server, respectively, according to Puyeski, who said SAM has withheld details about the vulnerabilities because there are tens of thousands of QNAP devices exposed to the internet.

The NAS web server bug was identified by fuzzing – injecting data programmatically – various cgi files, based on past observations that QNAP NAS devices have implemented web pages that don’t require authentication and execute server-side code. The security firm’s researchers found they could trigger remote code execution indirectly, by inducing certain behavior in other processes.

Resolving the NAS bug is a matter of “adding input sanitizations to some core processes and library APIs,” said Puyeski.

The issue with the DLNA server, which handles UPNP requests on port 8200 via the process myupnpmediasvr, is that a remote attacker can use the server to write an arbitrary file.

ThreatPost claims this flaw is addressed in an updated version of QNAP’s media server app, Multimedia Console 1.3.4, though the update makes no mention of any security fixes.

QNAP did not immediately respond to a request for comment. SAM also did not respond to our inquiry. ®

Source link

Technology

Amazon Web Services outage hits sites and apps such as IMDb and Tinder | Amazon

Voice Of EU

Published

on

Several Amazon services – including its website, Prime Video and applications that use Amazon Web Services (AWS) – went down for thousands of users on Tuesday.

Amazon said the outage was probably due to problems related to application programming interface (API), which is a set of protocols for building and integrating application software, Reuters reported.

“We are experiencing API and console issues in the US-East-1 Region,” Amazon said in a report on its service health dashboard, adding that it had identified the cause. By late late afternoon the outage appeared to be partially resolved, with the company saying that it was “working towards full recovery”.

“With the network device issues resolved, we are now working towards recovery of any impaired services,” the company said on the dashboard.

Downdetector showed more than 24,000 incidents of people reporting problems with Amazon. It tracks outages by collating status reports from a number of sources, including user-submitted errors on its platform.

The outage was also affecting delivery operations. Amazon’s warehouse operation use AWS and experienced disruptions, spokesperson Richard Rocha told the Washington Post. A Washington state Amazon driver said his facility had been “at a standstill” since Tuesday morning, CNBC reported.

Other services, including Amazon’s Ring security cameras, mobile banking app Chime and robot vacuum cleaner maker iRobot were also facing difficulties, according to their social media pages.

Ring said it was aware of the issue and working to resolve it. “A major Amazon Web Services (AWS) outage is currently impacting our iRobot Home App,” iRobot said on its website.

Other websites and apps affected include the Internet Movie Database (IMDb), language learning provider Duolingo and dating site Tinder, according to Downdetector.

The outage also affected presale tickets for Adele’s upcoming performances in Las Vegas. “Due to an Amazon Web Services (AWS) outage impacting companies globally, all Adele Verified Fan Presales scheduled for today have been moved to tomorrow to ensure a better experience,” Ticketmaster said on Twitter.

In June, websites including the Guardian, Reddit, Amazon, CNN, PayPal, Spotify, Al Jazeera Media Network and the New York Times were hit by a widespread hour-long outage linked to US-based content delivery network provider Fastly Inc, a smaller rival of AWS.

In July, Amazon experienced a disruption in its online stores service, which lasted for nearly two hours and affected more than 38,000 users.

Users have experienced 27 outages over the past 12 months on Amazon, according to the web tool reviewing website ToolTester.



Source link

Continue Reading

Technology

South Korea sets reliability standards for Big Tech • The Register

Voice Of EU

Published

on

South Korea’s Ministry of Science and ICT has offered Big Tech some advice on how to make their services suitably resilient, and added an obligation to notify users – in Korean – when they fail.

The guidelines apply to Google, Meta (parent company of Facebook), Netflix, Naver, Kakao and Wavve. All have been told to improve their response to faults by beefing up preemptive error detection and verification systems, and create back up storage systems that enable quick content recovery.

The guidelines offer methods Big Tech can use to measure user loads, then plan accordingly to ensure their services remain available. Uptime requirements are not spelled out.

Big techs is already rather good at resilience. Google literally wrote the book on site reliability engineering.

The guidelines refer to legislation colloquially known as the “Netflix law” which requires major service outages be reported to the Ministry.

That law builds on another enacted in 2020 that made online content service providers responsible for the quality of their streaming services. It was put in place after a number of outages, including one where notifications of the problem were made on the offending company’s social media site – but only in English.

The new regulations follow South Korean telcos’ recent attempts to have platforms that guzzle their bandwidth pay for the privilege. Mobile carrier SK Broadband took legal action in October of this year, demanding Netflix pitch in some cash for the amount of bandwidth that streaming shows – such as Squid Game – consume.

In response, Netflix pointed at its own free content delivery network, Open Connect, which helps carriers to reduce traffic. Netflix then accused SK Broadband of trying to double up on profits by collecting fees from consumers and content providers at the same time.

For the record, Naver and Kakao pay carriers, while Apple TV+ and Disney+ have at the very least given lip service to the idea.

Korea isn’t the only place where telcos have noticed Big Tech taking up more than its fair share of bandwidth. The European Telecommunications Network Operators’ Association (ETNO) published a letter from ten telco CEOs asking that larger platforms “contribute fairly to network costs”. ®

Source link

Continue Reading

Technology

Twitter acquires Slack competitor Quill to improve its messaging services

Voice Of EU

Published

on

As part of the acquisition, Quill will be shutting down at the end of the week as its team joins the social media company.

Twitter has acquired the messaging platform Quill, seen as a potential competitor to Slack, in order to improve its messaging tools and services.

Quill announced that it will be shutting down at the end of the week as its team joins the social media company to continue its original goal “to make online communication more thoughtful, and more effective, for everyone”.

The purchase of Quill could be linked to Twitter’s new strategy to reduce its reliance on ad revenue and attract paying subscribers.

Twitter’s general manager for core tech, Nick Caldwell, described Quill as a “fresher, more deliberate way to communicate. We’re bringing their experience and creativity to Twitter as we work to make messaging tools like DMs a more useful and expressive way people can have conversations on the service”.

Users of Quill have until 11 December to export their team message history before the servers are fully shut down at 1pm PST (9pm Irish time). The announcement has instructions for users who wish to import their chat history into Slack and states that all active teams will be issued full refunds.

The team thanked its users and said: “We can’t wait to show you what we’ll be working on next.”

Quill was launched in February with the goal to remove the overwhelming aspects of other messaging services and give users a more deliberate and focused form of online chat.

In an online post, Quill creator Ludwig Pettersson said: “We started Quill to increase the quality of human communication. Excited to keep doing just that, at Twitter.”

The company became a potential competitor for Slack, which was bought by Salesforce at the end of 2020 for $27.7bn. The goal of that acquisition was to combine Salesforce’s CRM platform with Slack’s communications tools to create a unified service tailored to digital-led teams around the world.

Last week, Salesforce announced the promotion of Bret Taylor to vice-chair and co-CEO, just days after he was appointed independent chair of Twitter after CEO Jack Dorsey stepped down.

Don’t miss out on the knowledge you need to succeed. Sign up for the Daily Brief, Silicon Republic’s digest of need-to-know sci-tech news.

Source link

Continue Reading

Trending

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates 
directly on your inbox.

You have Successfully Subscribed!