All these stories about QNAP (etc.) make me glad that I build my own servers, rather than getting some easy-to-setup, but non-upgradable, box. (E.g., I'm running 0.103.2, at the minor cost of having to build it from source.)
On Thu, 6 May 2021 13:18:20 +0100 (BST) "G.W. Haywood via clamav-users" <clamav-users@lists.clamav.net> wrote: > Hi there, > > On Thu, 6 May 2021, Matus UHLAR - fantomas wrote: > > On 06.05.21 12:19, Chellini Stefano via clamav-users wrote: > >> My QNAP NAS It is EOL , it is TS419-PII > >> > >> Is it available an option to upgrade the antivirus on it ? > > > > it should be installable through entware package, but as it only has 512MB > > of RAM, it's largely useless there (may not work properly). > > QNAP devices have been mentioned several times on this list recently. > > A very little searching will reveal why. > > There seems to be little doubt that the responses to the reports by > researchers of critical vulnerabilities have left much to be desired: > > https://securingsam.com/new-vulnerabilities-allow-complete-takeover/ > https://portswigger.net/daily-swig/qnap-fixes-critical-rce-vulnerabilities-in-nas-devices > https://www.zdnet.com/article/hundreds-of-thousands-of-qnap-devices-vulnerable-to-remote-takeover-attacks/ > > If you own one of these devices, I guess that these blog posts make > uncomfortable reading. > > Even if it would be capable of running ClamAV, installing it on any > vulnerable device would be pointless; this would not magically make > the device any less vulnerable. The vulnerabilities can only be fixed > by security patches or upgrades, or perhaps by some serious hacking > which is likely to be well beyond the average user. > > My view is that given their dubious history, QNAP devices should be > taken out of service unless they're in environments protected by > people who *really* know what they're doing - people who can create a > demonstrably safe firewall configuration. Again well beyond average. > > Otherwise, these things are just compromises waiting to happen. > > They're powerful enough to be attractive targets. They're easy enough > to find. Even when up to date with patches, next time around we'll > probably see the same unsatisfactory response leave more low-hanging > fruit for the criminals. They represent risk not just to their users, > but, after they're taken over for use as part of the extensive and > ever-growing criminal infrastructure, to the rest of us as well. > > Do us all a favour and get rid of them. > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
