Security ID : NAS-201801-08
Security Advisory for Meltdown and Spectre Vulnerabilities
Release date : January 8, 2018
CVE identifier : CVE-2017-5715 | CVE-2017-5753 | CVE-2017-5754
Affected products: Several QNAP NAS models (The list will be updated after our ongoing investigation.)
Severity
High
Status
Resolved
Summary
Two major security flaws—Meltdown and Spectre—were found in a number of widely-used processors. Meltdown (CVE-2017-5754) affects Intel and ARM processors, while Spectre (CVE-2017-5715, CVE-2017-5753) affects several processors from Intel, ARM, and AMD. If exploited, these vulnerabilities may allow remote attackers to access sensitive data.
We have identified a number of affected QNAP NAS models. You can find the comprehensive list below. We are currently working on software updates to fix these vulnerabilities.
We will continue updating this advisory with the latest information.
Affected NAS models
Enterprise NAS |
||
8-bay: | ||
TS-879 Pro TS-879U-RP TS-EC879U-RP |
TS-EC880 Pro TS-EC880U R2 |
TS-EC880U-RP TVS-EC880 |
10-bay: | ||
TS-1079 Pro TS-EC1080 Pro |
TVS-EC1080 | TVS-EC1080+ |
12-bay: | ||
SS-EC1279U-SAS-RP TS-1279U-RP TS-EC1279U-RP |
TS-EC1279U-SAS-RP TS-EC1280U R2 TS-EC1280U-RP |
TVS-EC1280U-SAS-RP TVS-EC1280U-SAS-RP R2 |
15-bay: | ||
TVS-EC1580MU-SAS-RP | TVS-EC1580MU-SAS-RP R2 | |
16-bay: | ||
ES1640dc ES1640dc v2 TDS-16489U TS-1679U-RP |
TS-1685 TS-EC1679U-SAS-RP TS-EC1679U-RP TS-EC1680U R2 |
TS-EC1680U-RP TVS-EC1680U-SAS-RP TVS-EC1680U-SAS-RP R2 |
18-bay: | ||
TES-1885U | ||
24-bay: | ||
TS-EC2480U R2 | TVS-EC2480U-SAS-RP | TVS-EC2480U-SAS-RP R2 |
TS-EC2480U-RP | ||
30-bay: | ||
TES-3085U | ||
SMB NAS | ||
1-bay: | ||
TS-131 | ||
2-bay: | ||
TS-231 TS-239 Pro TS-239 Pro II TS-239 Pro II+ TS-239H |
TS-253 Pro TS-253A TS-253B TS-259 Pro |
TS-259 Pro+ TS-269 Pro TS-269H TS-269L |
4-bay: | ||
IS-400 Pro IS-453S SS-439 Pro TBS-453A TS-431 TS-431U TS-431X TS-431X2 TS-431XeU TS-431XU TS-431XU-RP TS-439 Pro TS-439 Pro II TS-439 Pro II+ TS-439U-RP/ SP TS-451 TS-451S |
TS-451U TS-453 mini TS-453 Pro TS-453A TS-453B TS-453B mini TS-453BT3 TS-453BU TS-453BU-RP TS-453S Pro TS-453U TS-453U-RP TS-459 Pro TS-459 Pro II TS-459 Pro+ TS-459U-RP/SP TS-459U-RP+SP+ |
TS-463U TS-463U-RP TS-469 Pro TS-469L TS-469U-RP TS-469U-SP TS-470 TS-470 Pro TS-470U-SP TS-470U-RP TVS-463 TVS-470 TVS-471 TVS-471U TVS-471U-RP TVS-473 TVS-473e |
5-bay: | ||
TS-531P TS-531X TS-559 Pro |
TS-559 Pro II TS-559 Pro+ TS-563 |
TS-569 Pro TS-569L |
6-bay: | ||
TS-639 Pro TS-651 TS-653 Pro TS-653A TS-653B TS-659 Pro TS-659 Pro II |
TS-659 Pro+ TS-669 Pro TS-669L TS-670 TS-670 Pro TS-677 TVS-663 |
TVS-670 TVS-671 TVS-673 TVS-673e TVS-682 TVS-682T |
8-bay: | ||
SS-839 Pro TS-809 Pro TS-809U-RP TS-831X TS-831XU TS-831XU-RP TS-851 TS-853 Pro TS-853A TS-853BU TS-853BU-RP TS-853S Pro TS-853U TS-853U-RP TS-859 Pro |
TS-859 Pro+ TS-859U-RP TS-859U-RP+ TS-863U TS-863U-RP TS-869 Pro TS-869L TS-869U-RP TS-870 TS-870 Pro TS-870U-RP TS-873U TS-873U-RP TS-877 TVS-863 |
TVS-863+ TVS-870 TVS-871 TVS-871T TVS-871U-RP TVS-873 TVS-873e TVS-882 TVS-882BR TVS-882BRT3 TVS-882S TVS-882ST2 TVS-882ST3 TVS-882T |
12-bay: | ||
TS-1231XU TS-1231XU-RP TS-1253BU TS-1253BU-RP TS-1253U TS-1253U-RP |
TS-1263U TS-1263U-RP TS-1269U-RP TS-1270U-RP TVS-1271U-RP TS-1273U |
TS-1273U-RP TS-1277 TVS-1282 TVS-1282T TVS-1282T3 |
15-bay: | ||
TVS-1582TU | ||
16-bay: | ||
TS-1635 | TS-1673U | TS-1673U-RP |
18-bay: | ||
SS-EC1879U-SAS-RP | ||
24-bay: | ||
SS-EC2479U-SAS-RP | ||
Home & SOHO NAS | ||
1-bay: | ||
TS-131P | ||
2-bay: | ||
TS-231+ TS-231P TS-231P2 |
TS-251 TS-251+ HS-251 |
TS-251A TS-251C HS-251+ |
4-bay: | ||
TS-431+ TS-431P |
TS-431P2 TS-451+ |
TS-451A |
Recommendations:
Since attackers may attempt to compromise QNAP devices using malicious code and applications, QNAP recommends the following precautions:
- Do not install applications from unknown third-party sources.
- Do not open or run unknown virtual machine (VM) images on your device.
- Do not run unknown software in Container Station.
Revision History:
• V1.2 (January 16, 2018) - Updated the list of affected products
• V1.1 (January 11, 2018) - Updated with the initial list of affected products and recommendations
• V1.0 (January 8, 2018) - Published