Pierluigi Paganini April 20, 2022

QNAP urges customers to disable Universal Plug and Play (UPnP) port forwarding on their routers to secure their NAS devices.

Taiwanese vendor QNAP urges customers to disable Universal Plug and Play (UPnP) port forwarding on their routers to protect their network-attached storage (NAS) devices from attacks. UPnP is an insecure protocol, it uses network UDP multicasts, and doesn’t support encryption and authentication.

Universal Plug and Play (UPnP) is a set of networking protocols that allows networked devices to seamlessly discover each other’s presence on the network and establish functional network services.

UPnP Port Forwarding allows network devices to communicate with each other more efficiently and to automatically create workgroups for data sharing, among other applications.

Threat actors can abuse UPnP to infect a system and take over it, UPnP may expose user devices to public networks and malicious attacks.

“It is recommended that your QNAP NAS stay behind your router and firewall without a public IP address. You should disable manual port forwarding and UPnP auto port forwarding for QNAP NAS in your router configuration.” reads the advisory published by QNAP. “The myQNAPcloud Link service provided by QNAP is a good way for most users to access their QNAP NAS. The transmission speed may be slightly slower because the traffic is relayed through QNAP’s servers.”

The vendor also recommends enabling the VPN server function on the user router to access QNAP NAS from the Internet. Users can also remotely connect their devices by enabling the VPN server on QNAP NAS by installing the QVPN Service app or deploying QuWAN, SD-WAN solution.

The vendor also warned customers in January to secure their NAS devices immediately from active ransomware and brute-force attacks.

Users that have to access their NAS devices directly from the Internet are recommended to perform the following actions:

• Put your QNAP NAS behind your router and firewall. Do not let your QNAP NAS obtain a public IP address. Turn off UPnP on QNAP NAS, manually set up port forwarding in your router configuration only for the network ports required by the QNAP NAS services you use.
• Disable any service that you are not using, such as Telnet, SSH, web server, SQL server, phpMyAdmin and PostgreSQL.
• Change default external (Internet side) port numbers, such as 21, 22, 80, 443, 8080 and 8081, to custom (random) ones. For example, change 8080 to 9527.
• Only use encrypted HTTPS or other types of secure connections (SSH, etc.).
• Install QuFirewall on your QNAP NAS and limit allowed IP addresses to a specific region or subnet.
• Set up a new administrator account, and disable the default admin account.
• Enforce a strong password policy for all NAS users, including the new administrator account you’ve just created.
• Configure MFA (2-Step Verification) on QNAP NAS.
• Enable automatic OS and app updates. You can schedule updates to avoid interrupting backup/sync or other tasks.
• Enable IP access protection to block IP addresses with too many failed login attempts.

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]