QNAP will patche OpenSSL flaws in its NAS devices

Pierluigi Paganini September 01, 2021

Network-attached storage (NAS) appliance maker QNAP is working on security patches for its products affected by recently fixed OpenSSL flaws.

Taiwanese Network-attached storage (NAS) appliance maker QNAP announced that it is assessing the potential impact of two recently addressed flaws in OpenSSL on its products. The company also announced that it is working on security updates that address these vulnerabilities.

“An out-of-bounds read vulnerability in OpenSSL has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, the vulnerability allows remote attackers to disclose memory data or execute a denial-of-service (DoS) attack.” reads the advisory published by QNAP. “QNAP is thoroughly investigating the case. We will release security updates and provide further information as soon as possible.”

The two vulnerabilities are CVE-2021-3711 and CVE-2021-3712, they are respectively a remote code execution (RCE) and denial-of-service (DoS).

The CVE-2021-3711 is a high-severity buffer overflow flaw that could allow an attacker to change an application’s behavior or cause the app to crash. The vulnerability ties the decryption of SM2 encrypted data, the changes depend on the targeted application and data it maintains (i.e. credentials) in the heap while the issue is exploited.

The CVE-2021-3712 is a medium-severity vulnerability that can be exploited by attackers to trigger a denial-of-service (DoS) condition. The flaw could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext).

A few days ago, Taiwan vendor Synology also announced that the above vulnerabilities in the OpenSSL impact some of its products.

“Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server.” reads the advisory published by the company.

The affected Synology products are:

DSM 7.0ImportantOngoing
DSM 6.2ModerateOngoing
DSM UCModerateOngoing
SRM 1.2ModerateOngoing
VPN Plus ServerImportantOngoing
VPN ServerModerateOngoing

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment