QNAP security advisory for Roon Server

Much appreciated Chris!

Thanks for jumping in fast, Christopher. As I’ve said before, we are REALLY lucky to have you as part of this community. I wouldn’t be a Roon subscriber without the NAS capability you provide. So thank you. BTW, does the Synology interface have the same vulnerability?

2 Likes

If you’re a roon user who install roon on a Synology Diskstations, you are SAFE this time.

@crieke - Any update on the build you submitted?

1 Like

First feedback this morning: it seems to have closed the vulnerability.
They do perform further testing now before releasing it to their app center.

9 Likes

Hi,
I use the Roon App on a QNAP NAS, and I use Tidal with Roon. Both the Roon App and Tidal require access to the internet. I have seen advice not to expose the NAS to the outside world. However, I have not seen a good explanation as to how to accomplish this–at least not advice useful to me (not being an IT expert). I would very much appreciate your help!
Thank you!

That means to have your NAS visible/accessible from the internet (port forwarding, remote management and so on) and it’s different than accessing the internet from the NAS (which it’s, for the most of it, ok). In both cases there are rules/settings that you need to implement and respect in order to maximize the security.

Try this: QNAP Best Practice for Enhancing NAS Security

Thank you for your response. Can you point to these rules?

For ex., I have read advice to disable UPnP and to use port forwarding. However, I have also read advice to disable both UPnP and port forwarding. If both are disabled, how do Roon and Tidal work?

Thanks again!

Thanks so much for your reply! I have implemented those recommendations. However, I’m still left with the questions I addressed to occasionallyhere.

UPnP and Port Forwarding aren’t required for Roon Server and Tidal integration to work. From reading these forums, many QNAP owners (including me) have blocked remote Internet access to our devices without an issue.

You don’t need UPnP and it’s the best practice to disable it.

Port forwarding is a “technique” used when you need to access your NAS (or any computer for that matter) from the internet. It’s not needed for a regular (normal, in house, over the same network) use of Roon, Tidal or Qobuz.

Thank you both, Terry and occasionally here. Much appreciated! I’ll give it a try.

Just saw an article about ransomware being targeted for Roon users running on QNAP. Could not find nay current threads on this in the Roon Community. Can Roon support provide an update? I currently have disabled Roon on my QNAP NAS. Need an E.T.A. on when the zero day threat will be patched and remediated in Roon software.

Beware of eCh0raix Ransomware Attacks, QNAP Warns Customers – E Hacking News (rootdaemon.com)

As mentioned above, this isn’t actually a Roon issue. Also above you’ll see @crieke response that it’s hopefully been fixed and awaiting QNAP approval.

Sorry for looking stupid here (it’s a hobby of mine), How do I turn off internet access on my TS-253b, and will it still be able to update apps / firmware etc etc

Is this resolved yet?

It is a Roon issue. @crieke may be the lead author but Roon should be supporting him here. @support and @danny should be all over this…

3 Likes

I know this is a “community developed” platform integration but as someone very new to Roon, I find the lack of any kind of statement from the team to be an unwelcome surprise.

2 Likes

It’s all been said. The issue has been corrected and is awaiting Qnap’s testing before release…

2 Likes

Hi, While sorting out the recent QNAP security advisory on vulnerability in the Roon server, I took the QNAP NAS offline. Per the recommendations of occasionallyhere and Terry, I disabled UPnP on my router and NAS (where I also disabled Bonjour). I have never used port forwarding. The router’s security assessment did not identify any issues, and QNAP’s Security Counselor found nothing of substance.
Despite these changes and the device security self-scan results, when I put the NAS back online, the hacking attempts resumed where they had left off.

I have implemented QNAP’s recommendations to reduce the probability of a successful hack. If there are further recommendations to avoid hacking attempts, I would very much appreciate learning of them.

Thank you!