Security vulnerability with Roon Server on QNAP NAS

QNAP Systems Inc. reports a vulnerability of QNAP NAS systems in connection with Roon Server. The problem affects all users who use Roon Server directly as a corresponding app on a QNAP NAS.

The media management and multi-room audio streaming software Roon from Roon Labs LLC. can be used on various solutions, as is well known, and this applies not only to the Roon Controller, but also to the Roon Server, the so-called Roon Core.

The Roon Server can be used on PCs and Macs, is equally available for Apple macOS and Microsoft Windows, but also for Linux. It can also be used directly on a NAS in certain configurations, for example on NAS systems from the specialist QNAP Systems Inc. Separate apps are available for this via the administration interface of the NAS systems.

QNAP Systems Inc. is now also reporting a vulnerability around said Roon Server app for QNAP NAS systems under Security ID QSA-21-17.

“The QNAP security team has discovered an attack campaign related to a vulnerability in Roon Server.”

This is said to affect all QNAP NAS systems with Roon Server 2021-02-01 and all versions before it installed.

They have already contacted Roon Labs LLC. and are investigating this case thoroughly. They will also release security updates and provide further information as soon as possible.

Until then, QNAP recommends that users do not connect their NAS to the Internet or completely disable the Roon server on the NAS until the corresponding security update from Roon Labs is available to prevent potential attacks.

In the corresponding posting, QNAP also provides a suitable description of how to deactivate Roon Server on a QNAP NAS:

  1. Log on to QTS as administrator.
  2. Open the App Center and then click Sicherheitslücke bei Roon Server auf QNAP NAS.
    A search box appears.
  3. Type “Roon Server” and then press ENTER.
    Roon Server appears in the search results.
  4. Click the arrow below the Roon Server icon.
  5. Select Stop.
    The application is disabled.

Getting to the point

Yes, the wonderful world of multi-room audio streaming is ultimately nothing but “IT” and therefore just as vulnerable as all other network and IT solutions. It was therefore only a matter of time before a widespread system was targeted by attacks, as is now the case with Roon Labs LLC.

However, and this should be explicitly emphasised, only users who operate Roon servers directly on a QNAP NAS are affected. If the NAS is only used to store data and the Roon Server is operated on another device (PC, Mac, Roon NUCLEUS or Roon NUCLEUS+…), there is no security risk.

Manufacturer:QNAP Systems Inc.
Show More

Michael Holzinger

Michael Holzinger, founder and editor-in-chief of HiFi BLOG and, has been working for years as a journalist in the fields of IT, photography, telecommunications and consumer electronics.

Related Articles

Leave a Reply

Back to top button