Another Series of Critical CVE for QNAP

Three of the other bugs QNAP warned its customers about also received 9.8/10 severity ratings (i.e., CVE-2022-23125CVE-2022-23122CVE-2022-0194), all of them also allowing unauthenticated attackers to execute arbitrary code remotely without requiring authentication on unpatched devices.

On March 22, the Netatalk development team released version 3.1.13 to fix these security bugs, three months after the flaws were reported following the Pwn2Own contest.

QNAP says the Netatalk vulnerabilities (fixed in QTS build 20220419 and later) impact the following operating system versions:

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later
  • QuTScloud c5.0.x

QNAP: Disable AFP until firmware gets patched

“QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible,” the NAS maker said.

“To mitigate these vulnerabilities, disable AFP. We recommend users to check back and install security updates as soon as they become available.”

To disable AFP on your QTS or QuTS hero NAS device, you will have to go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking and select Disable AFP (Apple Filing Protocol).

QNAP is also working on addressing a Linux vulnerability dubbed ‘Dirty Pipe’ actively exploited in attacks that allows gaining root privileges and a high severity OpenSSL bug that can lead to denial of service (DoS) states and remote crashes

While the Dirty Pipe flaw remains to be fixed for NAS devices running QuTScloud c5.0.x, QNAP has only released QTS security updates for the OpenSSL DoS flaw it warned customers about one month ago.

One week ago, customers were also told to mitigate a series of apache vulnerabilities that need to be addressed for devices running QTS, QuTS hero, and QuTScloud.