CVE-2021-34362
📋 TL;DR
This CVE-2021-34362 is a command injection vulnerability in QNAP's Media Streaming add-on that allows remote attackers to execute arbitrary commands on affected devices. It affects QNAP NAS devices running vulnerable versions of the Media Streaming add-on. The vulnerability has been fixed in specific add-on versions released in August/September 2021.
💻 Affected Systems
- QNAP NAS devices with Media Streaming add-on
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to install malware, exfiltrate data, pivot to other network systems, or deploy ransomware on the NAS device.
Likely Case
Remote code execution leading to data theft, unauthorized access to stored media files, or use of the device as part of a botnet.
If Mitigated
Limited impact if device is isolated from internet and strict network segmentation is implemented.
🎯 Exploit Status
Command injection vulnerabilities are typically easy to exploit. QNAP devices have been heavily targeted by ransomware groups and botnets in recent years.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Media Streaming add-on: QTS 5.0.0/4.5.4/QuTS-Hero 5.0.0: 500.0.0.3+, QTS 4.3.6/4.3.3: 430.1.8.12+
Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-21-44
Restart Required: Yes
Instructions:
1. Log into QNAP web interface. 2. Go to App Center. 3. Check for updates for Media Streaming add-on. 4. Install the patched version. 5. Restart the NAS device.
🔧 Temporary Workarounds
Disable Media Streaming add-on
allTemporarily disable the vulnerable component until patching is possible
# In QNAP web interface: App Center → Media Streaming → Uninstall
Network isolation
allBlock external access to QNAP device on all ports
# On firewall/router: Block inbound traffic to QNAP IP on all ports
🧯 If You Can't Patch
- Disable Media Streaming add-on completely via App Center
- Implement strict network segmentation and firewall rules to isolate QNAP device from internet and other critical systems
🔍 How to Verify
Check if Vulnerable:
Check Media Streaming add-on version in QNAP App Center. If version is below the patched versions listed in affected_systems, device is vulnerable.Check Version:
# SSH into QNAP and check: getcfg -f /etc/config/qpkg.conf MediaStreaming VersionVerify Fix Applied:
Verify Media Streaming add-on version shows patched version (500.0.0.3+ for QTS 5.0.0/4.5.4/QuTS-Hero 5.0.0, or 430.1.8.12+ for QTS 4.3.6/4.3.3)📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in system logs
- Failed authentication attempts followed by successful access
- Suspicious processes running on QNAP device
Network Indicators:
- Unusual outbound connections from QNAP device
- Traffic to known malicious IPs
- Unexpected port scanning from QNAP IP
SIEM Query:
source="qnap_logs" AND ("command injection" OR "unauthorized access" OR "MediaStreaming" AND "exec")