[ad_1]
Taiwanese corporation QNAP has asked customers this week to disable the AFP file serving protocol on their network-attached storage (NAS) devices until it fixes multiple critical Netatalk vulnerabilities.
Netatalk is an open source implementation of AFP (short for Apple Filing Protocol) that allows *NIX/*BSD systems to act as an AppleShare File Server (AFP) for macOS clients.
On QNAP NAS devices, AFP allows macOS systems to access data on the NAS. According to QNAP, it is still used because it “supports many unique attributes of macOS that are not supported by other protocols.”
One of these security flaws, tracked as CVE-2022-23121 and rated with a severity score of 9.8/10, was exploited by NCC Group EDG team members to achieve unauthenticated remote code execution during the Pwn2Own hacking competition. 2021 on a Western Digital PR4100 NAS running My Firmware Cloud OS.
Three of the other bugs that QNAP warned its customers about also received severity ratings of 9.8/10 (i.e. CVE-2022-23125, CVE-2022-23122, CVE-2022-0194), and all of them also allow unauthenticated attackers to execute arbitrary code. remotely without the need for authentication on unpatched devices.
On March 22, the Netatalk development team released version 3.1.13 to fix these security bugs, three months after the flaws were reported following the Pwn2Own contest.
QNAP says that the Netatalk vulnerabilities (fixed in QTS 4.5.4.2012 build 20220419 and later) affect the following OS versions:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
QNAP: Disable AFP until firmware is patched
“QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP OS versions and provide more information as soon as possible,” the NAS manufacturer said.
“To mitigate these vulnerabilities, please disable AFP. We encourage users to check back and install security updates as soon as they are available.”
To disable AFP on your QTS or QuTS hero NAS device, you will need to go to Control Panel > Network and File Services > Win/Mac/NFS/WebDAV > Apple Networking and select Disable AFP (Apple File Protocol).
QNAP is also working to address a Linux vulnerability called ‘Dirty Pipe’ actively exploited in attacks that allow root privileges to be gained, and a high severity OpenSSL bug that can cause Denial of Service (DoS) states and remote lockouts.
While the Dirty Pipe flaw has yet to be fixed for NAS devices running QuTScloud c5.0.x, QNAP has only released QTS security updates for the OpenSSL DoS flaw that warned customers about a month ago.
A week ago, customers were also told to mitigate a couple of critical Apache HTTP server bugs added to the queue of vulnerabilities that need to be addressed for devices running QTS, QuTS hero, and QuTScloud.
[ad_2]
