QNAP NAS owners are under attack once again
Mitigations available as we wait for the patch
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
New vulnerabilities have been discovered in QNAPnetwork-attached storage (NAS) devices, the company has confirmed.
As reported byBleepingComputer, the vulnerabilities - tracked as CVE-2022-22721, and CVE-2022-23943 - have both been awarded a severity score of 9.8/10. Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs can be used to perform low complexity attacks that don’t require victim interaction.
QNAP has warnedNASowners to apply known mitigations, as a full patch is not yet available.
Share your thoughts on Cybersecurity and get a free copy of the Hacker’s Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at theend of this surveyto get the bookazine, worth $10.99/£10.99.
Mitigation available, patch pending
“We are thoroughly investigating the two vulnerabilities that affect QNAP products, and will release security updates as soon as possible,” the company said.
“CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device.”
While we await a full patch, QNAP has advised customers to keep the default value “1M” for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.
QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTSoperating system.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
QNAP NAS devices vulnerable to dangerous ‘DirtyPipe’ Linux bug>Microsoft refreshes its own in-house Linux distro>This major Linux security vulnerability has been fixed, so patch now
In the same announcement, QNAP revealed that it’s hard at work fixing “Dirty Pipe”, a high severityLinuxvulnerability that was recently discovered.
Dirty Pipe affects NAS devices running multiple versions of QTS, QuTS hero, and QuTScloud, and allows threat actors to trigger denial of service (DoS) attacks, or crash endpoints remotely.
The Linux kernel team patched Dirty Pipe as soon as its existence was confirmed. A security update has been rolled out to all affected Linux versions, whileGooglealso updated the Android operating system.
If left unpatched on vulnerable systems, Dirty Pipe can be exploited by an attacker to gain complete control over affected computers and smartphones. With this access, they would be able to read users' private messages, compromise banking apps and more.
ViaBleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
This new phishing strategy utilizes GitHub comments to distribute malware
Should your VPN always be on?
NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)
