QNAP® Systems, Inc. has been looking into the recent concerns over potential Bash code injection (CVE-2014-6271) that can lead to security vulnerabilities on the Turbo NAS and other Unix/Linux-based systems. A partial solution for CVE-2014-6271 exists but may result in another security vulnerability (CVE-2014-7169). QNAP is actively working on a solution for this issue, but in the meantime encourages all Turbo NAS users to take the following immediate actions to avoid any possible exploitation of their system.
As a temporary measure until a solution is released for this issue, please ensure that the following services of the Turbo NAS are disconnected from the Internet:
Normally the local network is not accessible from the Internet easily, users can still use their Turbo NAS safely. If users still worry about the security of their local network, they can follow the steps to disable the QTS web UI completely, and only turn it on when necessary:
Note: The NAS web administration will become unavailable after taking the above steps. To restore it:
QNAP will keep users updated with the latest information as addressing this issue. If users would like further assistance, please contact QNAP Technical Support at http://helpdesk.qnap.com