Embedded devices: Network-attached storage

Network-attached storage (NAS) is a file-level computer data storage server connected to a computer network providing data access to a heterogeneous group of clients. NAS is specialized for serving files either by its hardware, software, or configuration. NAS systems (manufactured by firms such as QNAP/WD/Synology) are networked appliances that contain one or more storage drives, often arranged into logical, redundant storage containers or RAID. It is often manufactured as a computer appliance – a purpose-built specialized computer.

Popular uses:  NAS is useful for more than just general centralized storage provided to client computers in environments with large amounts of data. NAS can enable simpler and lower cost systems such as load-balancing and fault-tolerant email and web server systems by providing storage services. The potential emerging market for NAS is the consumer market where there is a large amount of multi-media data. Such consumer market appliances are now commonly available.

QNAP Systems Inc.  A Taiwanese corporation, QNAP specializes in Network-attached storage (NAS) appliances used for file sharing, virtualization, storage management and surveillance applications.
QNAP primarily produces Network-Attached Storage (NAS) appliances, but the company also produces Network Video Recorders (NVR) and Digital Signage (DS).

Synology Inc. is a Taiwanese corporation that specializes in Network-attached storage (NAS) appliances. Synology’s line of NAS is known as the DiskStation for desktop models, FlashStation for all-flash models, and RackStation for rack-mount models.



Network Attached Storages are becoming increasingly popular for backup, storage and streaming and with their rise – comes a potential risk. NAS stations are a must for secured file sharing and thus becoming a popular target for hacking attempts.
NAS as do similar storage systems are just like any other network host or Web application; if it has a URL or an IP address, it may be put in risk. Many storage systems are vulnerable at Layer 7 and below and in most instances, if a bug/exploit is found, you’ll likely discover you won’t be able to resolve the issues on your own.

Previously, we had identified various vulnerabilities in QNAP and similar products. A QNAP QTS Unauthenticated Remote Code Execution and a QNAP HelpDesk SQL Injection. Another unauth RCE was found in a TerraMaster TOS. A Synology DSM Remote Command Injection was also identified in late 2019

Think you figured out how to run unauthenticated commands on the device? Found a NAS vulnerability and don’t know what to do next? Let us be your guides!