QNAP has decided to extend support for some of its network-attached storage (NAS) devices that had reached end of life (EOL), but the additional support does come with a caveat.
Businesses sporting unsupported devices will get until October this year to upgrade, but even with extended support, only certain risks will be mitigated.
“EOL models may lack computational capabilities, be short on operational memory, be unable to receive up-to-date component drivers, or possess other technical constraints or deprecated technology,” BleepingComputer cited the Taiwanese NAS maker as saying.
Addressing high severity vulnerabilities only
“Due to these reasons, QNAP normally maintains security updates for four years after a product passes its EOL date. As a special effort to help users protect their devices from today’s security threats, QNAP has extended security updates for some EOL models till October 2022.”
These updates, however, will only address high-severity and critical vulnerabilities, meaning some relatively dangerous flaws might still make it through with malware.
In the same announcement, the company warned customers not to expose EOL NAS devices to the internet, as they might easily be targeted by malicious actors already acquainted with certain unpatched vulnerabilities.
Owners of EOL NAS devices should do these two things to defend from attacks, QNAP suggested:
Disable the Port Forwarding function of the router (in the router’s management interface, check the Virtual Server, NAT, Port Forwarding settings, and disable the port forwarding settings for port 8080 and 433); Disable the UPnP function of the QNAP NAS (on the QTS menu, navigate to myQNAPcloud > Auto Router Configuration, and unselect “Enable UPnP Port forwarding.”
In late December last year, some QNAP NAS device owners were targeted by the eCh0raix ransomware. The threat actors were allowed to create a user in the administrator group, after which they managed to encrypt all the files on the NAS system. A free decryptor is available online, but only for older versions of the ransomware.