The Hacker NewsTHN:979E56FFC310C5CADE31A1B249E8E7D7QNAP Advises to Mitigate Remote Hacking Flaws Until Patches are Available
8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
Network-attached storage (NAS) appliance maker QNAP on Wednesday said it’s working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software.
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like operating systems to serve as file servers for Apple macOS computers.
On March 22, 2022, its maintainers released version 3.1.13 of the software to resolve major security issues — CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, and CVE-2022-0194 — that could be exploited to achieve arbitrary code execution.
“This vulnerability [CVE-2022-23121] can be exploited remotely and does not need authentication,” NCC Group researchers noted last month. “It allows an attacker to get remote code execution as the ‘nobody’ user on the NAS. This user can access private shares that would normally require authentication.”
QNAP noted that the Netatalk vulnerabilities impact the following operating system versions -
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later, and
- QuTScloud c5.0.x
Until the updates are available, the Taiwanese company is recommending users to disable AFP. The flaws have been patched so far in QTS 4.5.4.2012 build 20220419 and later.
The disclosure arrives less than a week after QNAP said it’s investigating its product lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month.
Update: In an independent advisory published on Thursday, Synology confirmed that some of its products, including Synology DiskStation Manager (DSM) and Synology Router Manager (SRM), are impacted by the Netatalk flaws -
- DSM 7.1 (Upgrade to 7.1-42661-1 or above)
- DSM 7.0
- DSM 6.2
- VS Firmware 2.3, and
- SRM 1.2
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related
8.8 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
5.8 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P