New vulnerabilities have been discovered in QNAP network-attached storage (NAS) devices, the company has confirmed.
As reported by BleepingComputer, the vulnerabilities - tracked as CVE-2022-22721, and CVE-2022-23943 - have both been awarded a severity score of 9.8/10. Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs can be used to perform low complexity attacks that don’t require victim interaction.
QNAP has warned NAS owners to apply known mitigations, as a full patch is not yet available.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.
Mitigation available, patch pending
"We are thoroughly investigating the two vulnerabilities that affect QNAP products, and will release security updates as soon as possible," the company said.
"CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device."
While we await a full patch, QNAP has advised customers to keep the default value "1M" for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.
QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
> QNAP NAS devices vulnerable to dangerous 'DirtyPipe' Linux bug (opens in new tab)
> Microsoft refreshes its own in-house Linux distro (opens in new tab)
> This major Linux security vulnerability has been fixed, so patch now (opens in new tab)
In the same announcement, QNAP revealed that it’s hard at work fixing “Dirty Pipe”, a high severity Linux vulnerability that was recently discovered.
Dirty Pipe affects NAS devices running multiple versions of QTS, QuTS hero, and QuTScloud, and allows threat actors to trigger denial of service (DoS) attacks, or crash endpoints remotely.
The Linux kernel team patched Dirty Pipe as soon as its existence was confirmed. A security update has been rolled out to all affected Linux versions, while Google also updated the Android operating system.
If left unpatched on vulnerable systems, Dirty Pipe can be exploited by an attacker to gain complete control over affected computers and smartphones. With this access, they would be able to read users' private messages, compromise banking apps and more.
- Keep your devices up to date with the best patch management software around (opens in new tab)
Via BleepingComputer (opens in new tab)