QNAP Will Soon Release Security Patches for OpenSSL Vulnerabilities Affecting Its NAS Devices
Among Others, these Flaws Could Enable Remote Hackers to Get Access to Memory Data Without Authorization, and Trigger (DoS) Attacks.
Taiwanese corporation QNAP Systems, Inc. that specializes in Network-attached storage (NAS) appliances is thoroughly focusing on the release of security updates in order to tackle two OpenSSL vulnerabilities that are impacting its NAS devices.
According to QNAP, the company is investigating the case and patches will be released as soon as possible.
A Closer Look at the Two Vulnerabilities
One of the vulnerabilities is CVE-2021-3712. This is an out-of-bounds read bug in OpenSSL impacting QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, the bug enables remote attackers to disclose memory data or perform a denial-of-service (DoS) attack.
The second vulnerability is CVE-2021-3711 and together with the first one is affecting QNAP NAS running HBS 3 (Hybrid Backup Sync).
According to the Network-attached storage (NAS) maker QNAP, when abused, the vulnerabilities allow remote attackers to execute arbitrary code with the permissions of the user initiating the application.
As noticed by BleepingComputer, CVE-2021-3712 bug is caused by a read buffer overrun weakness while processing ASN.1 strings. Cybercriminals could be able to misuse it in order to impact unprotected applications or obtain access to sensitive information such as private keys.
A week ago, the OpenSSL development team issued OpenSSL 1.1.1l in order to tackle the pair of vulnerabilities, however, the NAS maker didn’t say when the patches will be ready for release.
Synology Devices Also Affected by OpenSSL Vulnerabilities
A few days ago, Synology, a Taiwan-based company, has disclosed that several of its devices are affected by the same two OpenSSL vulnerabilities.
According to them, the affected devices include Synology DiskStation Manager (DSM, version 7.0, 6.2 and UC), SkyNAS, VS960HD, Synology Router Manager (SRM, version 1.2), the VPN Plus Server, and the VPN Server.
Multiple vulnerabilities allow remote attackers to conduct denial-of-service attacks or execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server, or VPN Server.
The Taiwanese organization is also in the process of tackling the two vulnerabilities as no security patches have been issued up until this point.
Palo Alto Networks’ Unit 42 also disclosed this month that a recently discovered eCh0raix ransomware version is targeting both QNAP and Synology NAS devices and added support for encrypting them.
Palo Alto Networks’ Unit 42 also revealed this month that a recently found eCh0raix ransomware version had added support for encrypting both QNAP and Synology NAS devices.
eCh0raix ransomware operation is notorious for impacting QNAP (Quality Network Appliance Provider) and Synology NAS (network-attached storage) devices.
In July, QNAP has addressed a critical security vulnerability affecting certain legacy versions of HBS 3 (Hybrid Backup Sync). If exploited, this flaw enabled threat actors to compromise the security of the operating system, escalate privileges, carry out commands remotely, or read private information without authorization.