Headline
QNAP Advises to Mitigate Remote Hacking Flaws Until Patches are Available
Network-attached storage (NAS) appliance maker QNAP on Wednesday said it’s working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software. Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like operating systems to serve as file servers for Apple macOS computers. <!-
Network-attached storage (NAS) appliance maker QNAP on Wednesday said it’s working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software.
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like operating systems to serve as file servers for Apple macOS computers.
On March 22, 2022, its maintainers released version 3.1.13 of the software to resolve major security issues - CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, and CVE-2022-0194 — that could be exploited to achieve arbitrary code execution.
“This vulnerability [CVE-2022-23121] can be exploited remotely and does not need authentication,” NCC Group researchers noted last month. “It allows an attacker to get remote code execution as the ‘nobody’ user on the NAS. This user can access private shares that would normally require authentication.”
QNAP noted that the Netatalk vulnerabilities impact the following operating system versions -
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later, and
- QuTScloud c5.0.x
Until the updates are available, the Taiwanese company is recommending users to disable AFP. The flaws have been patched so far in QTS 4.5.4.2012 build 20220419 and later.
The disclosure arrives less than a week after QNAP said it’s investigating its product lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
Security, cost, and reliability top the list of concerns IT teams have about their cloud operations, according to a recent report.
MSRC was informed by Wiz, a cloud security vendor, under Coordinated Vulnerability Disclosure (CVD) of an issue with the Azure Database for PostgreSQL Flexible Server that could result in unauthorized cross-account database access in a region. By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user … Azure Database for PostgreSQL Flexible Server Privilege Escalation and Remote Code Execution Read More »
Cloudflare on Wednesday disclosed that it acted to mitigate a 15.3 million request-per-second (RPS) distributed denial-of-service (DDoS) attack. The web infrastructure and website security company called it one of the "largest HTTPS DDoS attacks on record." "HTTPS DDoS attacks are more expensive in terms of required computational resources because of the higher cost of establishing a secure TLS