QNAP Advises to Mitigate Remote Hacking Flaws Until Patches are Available

Network-attached storage (NAS) appliance maker QNAP on Wednesday said it’s working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software.

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like operating systems to serve as file servers for Apple macOS computers.

On March 22, 2022, its maintainers released version 3.1.13 of the software to resolve major security issues — CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, and CVE-2022-0194 — that could be exploited to achieve arbitrary code execution.

“This vulnerability [CVE-2022-23121] can be exploited remotely and does not need authentication,” NCC Group researchers noted last month. “It allows an attacker to get remote code execution as the ‘nobody’ user on the NAS. This user can access private shares that would normally require authentication.”

QNAP noted that the Netatalk vulnerabilities impact the following operating system versions –

• QTS 5.0.x and later
• QTS 4.5.4 and later
• QTS 4.3.6 and later
• QTS 4.3.4 and later
• QTS 4.3.3 and later
• QTS 4.2.6 and later
• QuTS hero h5.0.x and later
• QuTS hero h4.5.4 and later, and
• QuTScloud c5.0.x

Until the updates are available, the Taiwanese company is recommending users to disable AFP. The flaws have been patched so far in QTS 4.5.4.2012 build 20220419 and later.

The disclosure arrives less than a week after QNAP said it’s investigating its product lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month.