Recently, many community users such as V2EX reported that,Feiniu fnOS has a major security vulnerability that allows access to any file on the NAS through path traversal, including system configuration and user storage files.

Early this morning, Feiniu fnOS officially released an important security update notice, saying that during the recent security inspection and user feedback analysis process, Feiniu’s technical team discovered that some devices have abnormal access risks in the public network environment.

When the affected device provides network services, the stability of the system and some applications may be affected due to abnormal external traffic.

In response to this abnormal behavior,The official has pushed the security update of version 1.1.15 as soon as possible and issued an upgrade notice to all users to block abnormal behaviors.

After in-depth analysis by Feiniu, this attack has obvious directional attributes targeting fnOS and uses a multi-dimensional compound attack technique.

In the past week, the technical team has urgently investigated a large number of abnormal devices, continued to track Trojan samples and their variants, and conducted in-depth analysis.

Currently, the security team has completed the reverse engineering of the attack link and released system security updates to block such attacks.

Feiniu suggested,When the NAS device opens access to the public network, give priority to secure access methods (encrypted tunnel/2FA verification/turn on firewall, etc.) to further reduce potential security risks.

In response to this announcement, some Feiniu NAS users pointed out that in the face of user privacy leaks due to vulnerabilities, Feiniu chose not to give an early warning, but to belatedly "avoid the important and take the easy" and use vague words like "abnormal access" to cover up the facts. Please do not use this "cover-up" approach to consume users' trust.

In this regard, Feiniu said that the normal disclosure process of security vulnerabilities requires disclosure after the vulnerability is repaired. In the past week, it has been contacting abnormal users and reversing the intrusion process. It cannot be disclosed until it is completely repaired.

Feiniu said that the details of the vulnerability cannot be disclosed directly, otherwise there will be a higher risk of being exploited by malicious people.

Data shows that Feiniu fnOS is a domestic free NAS operating system based on the in-depth development of the Debian Linux kernel. Individual users can convert idle NAS or PC devices into private cloud storage.