QNAP security advisory for Roon Server

Meanwhile I received an answer from QNAP and they are stating to don’t have any plan to restore the Roon application back on the App center.

Here below the original German text:

“vielen Dank für Ihre Nachricht. Leider wird der Roon Server bis auf weiteres aus dem Store entfernt. Es gibt auch noch keine Pläne Ihn wieder einzuführen.”

This is really bad news…I hope we can install it manually as before.

Any official statement from Roon?

When QNAP “contacted Roon”, they contacted @crieke, not us. I spoke to @crieke as soon as I saw this post, and he had identified the issue and was already working on a fix. The fix came hours later. The code affected is not code we wrote/own/maintain. @crieke has our full support, and even has access to our private Slack server, where he has a direct line of priority access to myself and the rest of our team. My communication with him was via this Slack, where he responded to me within seconds.

I reached out to @crieke who not only had identified a issue, created a fix, but also posted here with transparent and informative information. I made his post “staff colored”, but did not add anything further because there was no further information for me to add. He was on it.

You have confused two matters.

  1. QNAP users are being targeted by ransomware due to weak passwords
  2. this issue with the Web UI on the QNAP’s Roon QPKG

They are unrelated. They were just announced at the same time.

The issue was a “sanitization bug” in @crieke’s web UI for QNAP, not RoonServer, as the advisory states. No changes are planned to be made to RoonServer which remains safe.

The sanitization bug can only be dangerous if the outside world has access to your QNAP’s admin interface.

@crieke has posted a fix and asked QNAP to reinstate his package.

This sounds like a message from a support person who is not involved in the process of re-approval of the QPKG in their “app store”. I wouldn’t read too much into it.

RoonServer is supported by Roon, and can be downloaded at roonlabs.com/downloads – it will work on QNAP and other NASs, but may require custom installation into those systems. This is something Roon does not provide support for.

Roon on QNAP and other NASs is community supported by @crieke. He maintains a site for this here: Roon on NAS.

Here, I have found a link for “(PreRelease) Installer for QNAP (x64)” – I assume this is the “manual” method.

@crieke, can you please comment about the manual process?

5 Likes

Please take care about the manual download/installation file, because this is an older version and not the current fix!

1 Like

Thank you very much Danny. Your post clarify a lot.

Yes the Qnap answer that I got came from service desk guy…

I will wait for crieke instructions on how to proceed with the manual process then.

I have put the updated qpkg on the roononnas.org website for manual installation. I added a note to it, to install it at your own risk, as it has not yet been approved (or rejected) by QNAP.

I have added checks to verify the session id of the logged in user and added a sanitation step for a function (which is responsible for storing the database location). These were the areas, that have been reported to cause the security issue. I am very sorry for the trouble this might have caused.

15 Likes

Please don’t feel sorry for this situation as you kindly volunteer your time and expertise to provide a very useful resource for Roon QNAP users. Personally, I am very grateful for what you do.

8 Likes

Thanks as always Christopher for all your great work on this. New package installed no problem. Up and running and playing music and loving it.

Thank you Christopher for great work with Roon on QNAP! I manually installed the new version and it works great. I also turned QNAP internet access back on now so my Plex remote access works again.

Thanks a lot Christopher! Really appreciated

1 Like

Chris, is it build 795 that is on your web site?

Thanks for all your efforts

No it is the RoonServer App for QNAP – no Roon included. Use your Roon remote to update Roon (Settings|About).

1 Like

Vielen Dank Christopher :grinning:

I’ve talked to Qnap and they’re asking me when Roon corrected the software and forwarded it to Qnap. Don’t the two organizations talk? Seems like a communication breakdown but in the meantime, I have a friend that paid $700 for the lifetime subscription and can’t install Roon on his Qnap NAS.

Have you read this thread before posting this? I recommend you read crieke’s previous post from 8 days ago.

1 Like

The updated QNAP App is here for download and manual install: - https://roononnas.org/en/roon-on-nas/

Hi @Carroll_McDonald,
sometimes this community is not easy to understand and you get nice comments.
I didn’t get everything here, because I have other hobbies too.

If you click on the LINK from “Scotav” you have to scroll down until you see this:
image

And I guess the installer for QNAP from May 18th 2021 is the installation file (a qpkg-file).
From the QNAP QTS App you have to go to manual installation and click on that downloaded file.
I hope this explanation is not completely wrong, but maybe others can help and correct.
Thanks.

Is there any update on when QNAP will publish the updated Roon package download form within their App Center?

Version 2021-05-18 is available in the QNAP App Center now.
I strongly suggest to perform the update, if you have not already installed this version.

9 Likes

Thanks for your help on this.

If I go into the AppCenter app on the QNAP I do not see an update, is this expected? Am I supposed to open Roon Server and “replace the current Roon Server”? Or has the new app just not propagated every place.