Zerologon Problem Threatens Certain Qnap NAS

Qnap representatives warned that the Zerologon vulnerability (CVE-2020-1472), patched by Microsoft as part of the August “update Tuesday”. And Zerologon Problem threatens some QNAP NAS models.

Let me remind you that many information security specialists called Zerologon the most dangerous mistake of the current year, and experts from the US Department of Homeland Security gave the federal agencies only three days to urgently fix the bug, otherwise they threatened to disconnect from federal networks.

The Zerologon vulnerability relies on a weak cryptographic algorithm used in the Netlogon authentication process. The problem was named Zerologon, since the attack is carried out by adding zeros to certain Netlogon authentication parameters. As a result, the bug allows an attacker to manipulate authentication, namely:

• impersonate any computer on the network during authentication with a domain controller;
• disable security mechanisms during Netlogon authentication;
• change the computer password in the Active Directory domain controller.

Now Qnap experts report that NAS may be vulnerable to this problem if the user has configured the device as a domain controller (Control Panel -> Network & File Services -> Win/Mac/NFS -> Microsoft Networking).

Although NAS is not typically used as a Windows domain controller, sometimes organizations can use this feature to allow administrators to use some NAS models for user account management, authentication, and domain security. This is not common, but still occurs.

“As a result, the vulnerability allows a remote attacker to bypass security measures through a compromised device with QTS on board”, – say Qnap experts.

Qnap developers strongly recommend that users update the QTS operating system on their NAS as well as all installed applications. According to Qnap, QTS 2.x and QES are not affected by CVE-2020-1472 and the issue has already been fixed in the following versions of QTS:

• QTS 4.5.1.1456 build 20201015 and newer;
• QTS 4.4.3.1439 build 20200925 and newer;
• QTS 4.3.6.1446 build 20200929 and newer;
• QTS 4.3.4.1463 build 20201006 and newer;
• QTS 4.3.3.1432 build 20201006 and newer.

Let me remind you that after the bug just appeared, we wrote that the Zerologon problem allows capturing Windows servers on corporate networks.