QNAP security advisory for Roon Server

*** BEWARE ***
Hit by eCh0raix last week on my QNAP NAS. Roon was the security hole. QNAP has removed Roon from their App Center for the time being. Bought the NAS for Roon specifically so I hope Roon gets with the times very soon. Pretty bush-league in this day and age…

I got this notification from QNAP yesterday in my inbox. Is this the same issue?

I stopped Roon from running but same here, I bought my QNAP to run Roon and store my music library.

Hello everyone,
I have also been hit by eCh0raix last week. I managed to format everything and restore a previous backup.

Unfortunately now I cannot use Roon anymore on my QNAP. The application disappeared from the app center of QNAP.

@crieke do you know if it will be released anytime soon or should I think about other solutions?

Thanks for your efforts, really appreciated.

1 Like

Same here, no application in the App Center anymore. @crieke please?

I understand how a web interface could have a vulnerability, but how did this happen? Did the victims here have their QNAP server exposed to the outside world either through UPnP or port forwarding?

The app has been taken down, until a fix is available.
I have sent a new build with a quickfix to the issue (described in their email) yesterday and added further improvements today (announced by mail, but no build sent yet). I hope to get feedback to the changes on monday. They will probably (for good reasons) check the build before putting it back in their App Center.

9 Likes

Many thanks.

I also do not expose my NAS to the outside world. But the main error was in the webinterface and this should not have happened. :frowning:

3 Likes

@crieke would you be able to share a link with your latest build? We could install it manually before it get “approved” by QNAP.

As I reinitialised the NAS I’m left without Roon core… and it’s weekend :slight_smile:

Much appreciated Chris!

Thanks for jumping in fast, Christopher. As I’ve said before, we are REALLY lucky to have you as part of this community. I wouldn’t be a Roon subscriber without the NAS capability you provide. So thank you. BTW, does the Synology interface have the same vulnerability?

2 Likes

If you’re a roon user who install roon on a Synology Diskstations, you are SAFE this time.

@crieke - Any update on the build you submitted?

1 Like

First feedback this morning: it seems to have closed the vulnerability.
They do perform further testing now before releasing it to their app center.

9 Likes

Hi,
I use the Roon App on a QNAP NAS, and I use Tidal with Roon. Both the Roon App and Tidal require access to the internet. I have seen advice not to expose the NAS to the outside world. However, I have not seen a good explanation as to how to accomplish this–at least not advice useful to me (not being an IT expert). I would very much appreciate your help!
Thank you!

1 Like

That means to have your NAS visible/accessible from the internet (port forwarding, remote management and so on) and it’s different than accessing the internet from the NAS (which it’s, for the most of it, ok). In both cases there are rules/settings that you need to implement and respect in order to maximize the security.

Try this: QNAP Best Practice for Enhancing NAS Security

Thank you for your response. Can you point to these rules?

For ex., I have read advice to disable UPnP and to use port forwarding. However, I have also read advice to disable both UPnP and port forwarding. If both are disabled, how do Roon and Tidal work?

Thanks again!

Thanks so much for your reply! I have implemented those recommendations. However, I’m still left with the questions I addressed to occasionallyhere.

UPnP and Port Forwarding aren’t required for Roon Server and Tidal integration to work. From reading these forums, many QNAP owners (including me) have blocked remote Internet access to our devices without an issue.