Qnap Representatives warnedthat the Zerologon vulnerability (CVE-2020-1472) patched by Microsoft as part of the August Patch Tuesday may pose a threat to some of the company's NAS models.
Let me remind you that many information security specialists called Zerologon the most dangerous mistake of the current year, and experts from the US Department of Homeland Security gave the federal agencies of the country only three days to urgently fix the bug, otherwise they threatened to disconnect from federal networks.
The Zerologon vulnerability relies on a weak cryptographic algorithm used in the Netlogon authentication process. The problem was named Zerologon, since the attack is carried out by adding zeros to certain Netlogon authentication parameters. As a result, the bug allows an attacker to manipulate authentication, namely:
- impersonate any computer on the network during authentication with a domain controller;
- disable security mechanisms during Netlogon authentication;
- change the computer password in the Active Directory domain controller.
Now Qnap experts report that the NAS can be vulnerable to this problem if the user has configured the device as a domain controller (Control Panel -> Network & File Services -> Win / Mac / NFS -> Microsoft Networking).
Although NAS is not typically used as a Windows domain controller, sometimes organizations can use this feature to allow administrators to use some NAS models for user account management, authentication and domain security. This is not common, but still occurs. As a result, the vulnerability allows a remote attacker to bypass security measures through a compromised device with QTS on board.
Qnap developers strongly recommend that users update the QTS operating system on their NAS as well as all installed applications. According to Qnap, QTS 2.x and QES are not affected by CVE-2020-1472, and the issue has already been fixed in the following versions of QTS:
- QTS 126.96.36.1996 build 20201015 and newer;
- QTS 188.8.131.529 build 20200925 and newer;
- QTS 184.108.40.2066 Build 20200929 and newer;
- QTS 220.127.116.113 build 20201006 and newer;
- QTS 18.104.22.1682 build 20201006 and newer.