QNAP says it is working on patches for OpenSSL bugs impacting its NAS devices

News
By Mayank Sharma
published

A ticking time bomb

security threat
(Image credit: Shutterstock.com)

Taiwanese storage manufacturer QNAP has acknowledged that some of its Network-Attached Storage (NAS) devices are impacted by the vulnerabilities reported by OpenSSL, though it is still to release a fix.

According to the company, the OpenSSL security flaws tracked as CVE-2021-3711 and CVE-2021-3712, impact its devices that run its QTS, QuTS hero, QuTScloud operating system, as well as the Hybrid Backup Sync (HBS 3) data backup and disaster recovery solution. 

In its advisory, QNAP explains that the vulnerabilities can be exploited to enable remote attackers to read data in the memory of the affected device, trigger a denial-of-service (DoS) attack, or run arbitrary code with the same permissions as that of the user running the HBS 3 app.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

“QNAP is thoroughly investigating the case. We will release security updates and provide further information as soon as possible,” read the QNAP advisory.

What’s the hold up?

Interestingly, the OpenSSL development team has already released OpenSSL v1.1.1l to address the flaws last week, on August 24. 

However, the latest QNAP advisories only acknowledge the presence of the vulnerabilities in its devices. Not only has the company not released a fix, it hasn’t even put out an estimated date by which users can expect a patch. 

QNAP isn’t alone though. Last week, fellow Taiwanese NAS vendor Synology also acknowledged the presence of the OpenSSL vulnerabilities in a slew of its products. And just like QNAP, Synology too hasn’t yet addressed the flaws, and instead tags them as “Pending” and “Ongoing”.

Internet-connected NAS devices are one of the favorite targets of attackers, and both Synology and QNAP have been on the receiving end of such campaigns. 

Although there haven’t yet been reports of a campaign against these devices that capitalize on the OpenSSL vulnerabilities, the delay in issuing patches should be a cause of concern for owners of the vulnerable devices.

Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.