QNAP security advisory for Roon Server

This vulnerability is not caused by Roon Server.
It was caused by me and is located in the web interface of the QNAP Roon Server app.
I am working on it right now.

25 Likes

Thank you for the quick reply Christopher!

1 Like

Any related thread on Synology?

The Synology Diskstations do not have this web interface. Due to that, there is no related threat on diskstations.

1 Like

Refer to https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/

1 Like

*** BEWARE ***
Hit by eCh0raix last week on my QNAP NAS. Roon was the security hole. QNAP has removed Roon from their App Center for the time being. Bought the NAS for Roon specifically so I hope Roon gets with the times very soon. Pretty bush-league in this day and age…

I got this notification from QNAP yesterday in my inbox. Is this the same issue?

I stopped Roon from running but same here, I bought my QNAP to run Roon and store my music library.

Hello everyone,
I have also been hit by eCh0raix last week. I managed to format everything and restore a previous backup.

Unfortunately now I cannot use Roon anymore on my QNAP. The application disappeared from the app center of QNAP.

@crieke do you know if it will be released anytime soon or should I think about other solutions?

Thanks for your efforts, really appreciated.

1 Like

Same here, no application in the App Center anymore. @crieke please?

I understand how a web interface could have a vulnerability, but how did this happen? Did the victims here have their QNAP server exposed to the outside world either through UPnP or port forwarding?

The app has been taken down, until a fix is available.
I have sent a new build with a quickfix to the issue (described in their email) yesterday and added further improvements today (announced by mail, but no build sent yet). I hope to get feedback to the changes on monday. They will probably (for good reasons) check the build before putting it back in their App Center.

9 Likes

Many thanks.

I also do not expose my NAS to the outside world. But the main error was in the webinterface and this should not have happened. :frowning:

3 Likes

@crieke would you be able to share a link with your latest build? We could install it manually before it get “approved” by QNAP.

As I reinitialised the NAS I’m left without Roon core… and it’s weekend :slight_smile:

Much appreciated Chris!

Thanks for jumping in fast, Christopher. As I’ve said before, we are REALLY lucky to have you as part of this community. I wouldn’t be a Roon subscriber without the NAS capability you provide. So thank you. BTW, does the Synology interface have the same vulnerability?

2 Likes

If you’re a roon user who install roon on a Synology Diskstations, you are SAFE this time.

@crieke - Any update on the build you submitted?

1 Like

First feedback this morning: it seems to have closed the vulnerability.
They do perform further testing now before releasing it to their app center.

9 Likes

Hi,
I use the Roon App on a QNAP NAS, and I use Tidal with Roon. Both the Roon App and Tidal require access to the internet. I have seen advice not to expose the NAS to the outside world. However, I have not seen a good explanation as to how to accomplish this–at least not advice useful to me (not being an IT expert). I would very much appreciate your help!
Thank you!

1 Like