QNAP NAS Owners are Under Attack Once Again

QNAP NAS Owners are Under Attack Once Again

QNAP network-attached storage (NAS) devices have been found to have new vulnerabilities, according to the business.

The vulnerabilities, identified as CVE-2022-22721 and CVE-2022-23943, have both been assigned a severity score of 9.8/10, according to BleepingComputer. The flaws discovered in Apache HTTP Server 2.4.52 and earlier can be leveraged to carry out low-complexity attacks without requiring victim input.

Because a full patch is not yet available, QNAP has advised NAS owners to use known mitigations.

Mitigation Available, Patch Pending

The business started, "We are researching the two vulnerabilities that affect QNAP products and will deliver security fixes as soon as feasible."

"CVE-2022-22721 affects 32-bit QNAP NAS models, whereas CVE-2022-23943 concerns users on QNAP devices that have enabled mod sed in Apache HTTP Server."

QNAP-logo

Picture: marketing.qnap.com

While we wait for a comprehensive patch, QNAP recommends that users leave LimitXMLRequestBody at 1M and disable mod sed, as these two actions effectively block the gaps.

On NAS systems using the QTS operating system, the mod sed in-process content filter is disabled by default in Apache HTTP Server, according to QNAP.

QNAP also stated that it is working to remedy "Dirty Pipe," a high-severity Linux vulnerability recently found in the same announcement.

Threat actors can use Dirty Pipe to launch denial of service (DoS) attacks or crash endpoints remotely on NAS systems running several versions of QTS, QuTS hero, and QuTScloud.

Dirty-Pipe

Picture: tipsmake.com

As soon as they confirmed the existence of Dirty Pipe, the Linux kernel team patched it. They have applied security fixes to all affected Linux versions and Google's Android operating system. 

If you leave filthy Pipes unpatched on vulnerable systems, an attacker can get total control over afflicted computers and devices. With this access, they'd be able to read customers' private messages, hack financial applications, and more.

About QNAP Systems, Inc.

A product security statement was released today by QNAP® Systems, Inc. (QNAP). Ransomware and brute-force assaults have been routinely used to target all networking equipment, with those devices exposed to the Internet without protection being the most vulnerable. To protect the security of QNAP networking equipment, QNAP encourages all QNAP NAS users to follow the security setup guidelines below.

QNAP (Quality Network Appliance Provider) offers complete software development, hardware design, and in-house manufacturing solutions. QNAP introduces a breakthrough Cloud NAS solution that unites our cutting-edge subscription-based software and varied service channel ecosystem, focusing on storage, networking, and intelligent video advances. QNAP sees NAS as more than just storage and has built a cloud-based networking architecture. Customers may host and create artificial intelligence analysis, edge computing, and data integration on their QNAP devices.

5
1 ratings
Jessica Vieira
WRITTEN BY
Jessica Vieira
Jessica Vieira is ProductReviews's senior media reporter, covering the intersection of entertainment and technology.

Advertisement