Synology And QNAP Critical Netatalk Vulnerability

Synology and QNAP has warned its customers that it has found serious vulnerabilities in its NAS devices. The flaws, which exist in its network-attached storage (NAS) appliances, could allow attackers to gain remote access to vulnerable systems, modify data or execute malicious code.

QNAP, urged its users to disable their NAS devices’ AFP file service protocol. The company warned that the protocol was vulnerable to security flaws and advised customers to wait until it fixed the problem.

During the Pwn2Own contest, The NCC Group’s EDG team exploited a remote code execution security flaw in Western Digital’s PR4100 NAS. This vulnerability was rated at 9.8/10 severity by the Common Vulnerability Scoring System and is tracked as CVE-2022-23121.

Synology identified and reported three other vulnerabilities (i.e., CVE-2022-23125, CVE-2022-23122, CVE-2022-0194) that are rated the same.

QNAP declared that Netatalk vulnerabilities affect multiple QTS and QuTS hero operating systems as well as cloud-optimized NAS operating system QuTScloud.

Mitigation

Some Synology and QNAP updates have been made available for some devices. It is recommended to install security updates as soon as they become available.

For Synology you can view the updated security advisory page for further information.

  • DSM 7.1 already has a patch available (7.1-42661-1).
    • Since AFP has been deprecated by Apple for a long time, it is disabled by default in DSM 7.0. Most vendors including Apple have encouraged usage of SMB instead of AFP when accessing files on network storage. 
  • For users who don’t need AFP and have not upgraded to DSM 7.1, we recommend making sure AFP is disabled (this can be done in Control Panel) to mitigate the issue. 

 

For QNAP you can view the Security Advisory List for further information.

They have already fixed the vulnerabilities in the following versions of QTS:

  • QTS 4.5.4.2012 build 20220419 and later

I hope this article was helpful, if you have any questions, please feel free to contact me. If you would like to be notified of when I create a new post, you can subscribe to my blog alert.

Leave a Comment

+ 28 = 32