NAS Adapter Security Vulnerability

In regards to the recent NAS Adapter security vulnerability which has been posted to several websites:

The vulnerability has been reproduced and carefully analyzed to gauage the severity of the exploit. Below are facts we have found.

1. An intruder without the NAS Adapter administrator password cannot execute the exploit
The vulnerability is considered a post-authentication exploit, meaning that the user must already be authenticated as the administrator in the NAS Adapter web interface in order to perform the exploit. As an administrator with full credentials to access the NAS Adapter web interface, there would be no motive to produce the buffer overflow condition. In short, any intruder without the NAS adapter administrator password cannot execute this exploit.

2. The vulnerability cannot be executed accidentally
A regular user accessing the NAS Adapter web interface will never accidentally encounter the buffer overflow condition due to the fact that the vulnerability is produced via querystring, rather than the standard method of entering data through text fields from NAS Adapter web interface.

Download the latest firmware to fix the vulnerability
The NAS Adapter firmware NASU2FW46A and newer circumvent the buffer overflow condition by limiting the invalid querystring. We recommend that users still concerned about the security vulnerability request the latest version of firmware from Addonics customer support.