QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

Network-attached storage (NAS) appliance maker QNAP said it’s currently investigating two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable.

Tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), the weaknesses concern a high-severity buffer overflow in SM2 decryption function and a buffer overrun issue when processing ASN.1 strings that could be abused by adversaries to run arbitrary code, cause a denial-of-service condition, or result in disclosure of private memory contents, such as private keys, or sensitive plaintext —

• CVE-2021-3711 - OpenSSL SM2 decryption buffer overflow
• CVE-2021-3712 - Read buffer overruns processing ASN.1 strings

“A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash,” according to the advisory for CVE-2021-3711.

OpenSSL, a widely used open-source cryptographic library that provides encrypted connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), addressed the issues in versions OpenSSL 1.1.1l and 1.0.2za that were shipped on August 24.

In the meanwhile, NetApp on Tuesday confirmed that the flaws affect a number of its products, while it continues to assess the rest of its lineup —

• Clustered Data ONTAP
• Clustered Data ONTAP Antivirus Connector
• E-Series SANtricity OS Controller Software 11.x
• NetApp Manageability SDK
• NetApp SANtricity SMI-S Provider
• NetApp SolidFire & HCI Management Node
• NetApp Storage Encryption

The development follows days after NAS maker Synology also disclosed that it’s opened an investigation into a number of models, comprising DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server, to check if they are affected by the same two flaws.

“Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack[s] or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server,” the Taiwanese company said in an advisory.

Other companies whose products rely on OpenSSL have also released security bulletins, including —

• Debian
• Red Hat (CVE-2021-3711, CVE-2021-3712)
• SUSE (CVE-2021-3711, CVE-2021-3712), and
• Ubuntu (CVE-2021-3711, CVE-2021-3712).

Found this article interesting? Follow THN on Facebook, Twitter  and LinkedIn to read more exclusive content we post.