The impact of a critical bug originally believed to open 30,000 QNAP network-attached storage (NAS) devices to attack, was likely overstated. Researchers now say the QNAP arbitrary code injection bug, with a CVSS score of 9.8, poses little threat to QNAP users.
Researchers at Censys, which reported last week that 98% of QNAP devices (QTS 5.0.1 and QuTS hero h5.0.1), representing over 30,000 in-use instances, were unpatched and vulnerable to attack via the internet. Censys now tells SC Media that because QNAP likely flubbed to properly identify the range of affected NAS models, zero of the company’s devices appear vulnerable to attack via the critical bug (CVE-2022-27596).
Marc Light, vice president of data science and research at Censys, said researchers built their observations on what QNAP posted in it JSON-encoded attachment, along with the NVD advisory from NIST.
Light pointed out that QNAP has updated the CVE record (CVE-2022-27596) now stating that QTS 5.0.0, QTS 4.xx, QuTS hero 5.0.0 and QuTS hero 4.5x are not affected.
While some security researchers still wonder what changed for QNAP to alter its assessment, most said for now, they had to take QNAP at face value and say QNAP may have made a mistake when it comes to how many QNAP NAS devices were exposed to the internet and open to attack.
“This drastically changes the outcome of our report, as most of the devices we observed were running version 5.0.0 and version 4.3.3, both of which have now been made