The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack:
Roon Server 2021-02-01 and earlier
@danny are you guys @roonlabs aware about this? I’m bit worried seeing attack campaign is already ongoing… I hope roonserver hidden behind NAT is adequate protection as there are no details about attack vector…
The QNAP security team has detected an attack campaign in the wild related to a vulnerability in Roon Server. QNAP NAS running the following versions of Roon Server may be susceptible to attack:
Roon Server 2021-02-01 and earlier
We have already notified Roon Labs of the issue and are thoroughly investigating the case. We will release security updates and provide further information as soon as possible.
Recommendation
QNAP recommends users not to expose their NAS to the internet. Before a security update is available from Roon Labs, we also recommend disabling Roon Server to prevent potential attacks.
Disabling Roon Server
Log on to QTS as administrator.
Open the App Center and then click .
A search box appears.
Type “Roon Server” and then press ENTER.
Roon Server appears in the search results.
Hopefully we will receive some confirmation or reassurance ASAP.
Last week I got all my data encrypted because of another vulnerability on the Qnap Nas.
The hacker asked about 1350€ to decrypt my data… luckily I had almost everything backed up, only some files got lost.
It’s really not a pleasant feeling…it’s like someone enter in your house.
I disabled Nas access from external and not using openvpn/qvpn anymore.
The instructions from QNAP were simple enough…change port number for remote access to the QNAP, and change login/password away from admin…and update all apps to latest versions. There’s also a fairly simple SSH check on whether the 7z ransomware is actually on the system and how to find the unlock code…
I saw this advisory today too - QNAP has had a lot of various ransomware attacks against their NAS devices this past year so be sure your software/firmware is up to date.
My question is, while QNAP discovered active exploitation and reported the vulnerability to Roon, its possible the vuln in Roon Server is not a QNAP only issue, as the language does not state that explicitly.
I would love for Roon to chime in (or please let me know if there is a statement/vulnerability note they’ve published) on the issue so non-QNAP device users like myself can decide if our servers are also vulnerable.
For now I’ve shut down my server and am standing by.
This vulnerability is not caused by Roon Server.
It was caused by me and is located in the web interface of the QNAP Roon Server app.
I am working on it right now.
*** BEWARE ***
Hit by eCh0raix last week on my QNAP NAS. Roon was the security hole. QNAP has removed Roon from their App Center for the time being. Bought the NAS for Roon specifically so I hope Roon gets with the times very soon. Pretty bush-league in this day and age…
I understand how a web interface could have a vulnerability, but how did this happen? Did the victims here have their QNAP server exposed to the outside world either through UPnP or port forwarding?
The app has been taken down, until a fix is available.
I have sent a new build with a quickfix to the issue (described in their email) yesterday and added further improvements today (announced by mail, but no build sent yet). I hope to get feedback to the changes on monday. They will probably (for good reasons) check the build before putting it back in their App Center.
.
