Network-attached storage (NAS) appliance maker QNAP on Wednesday said it’s working on updating its QTS and QuTS operating systems after Netatalk last month released patches to contain seven security flaws in its software.
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like operating systems to serve as file servers for Apple macOS computers.
On March 22, 2022, its maintainers released version 3.1. 13 of the software to resolve major security issues – CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, and CVE-2022-0194 — that could be exploited to achieve arbitrary code execution.
“This vulnerability [CVE-2022-23121] can be exploited remotely and does not need authentication,” NCC Group researchers noted last month. “It allows an attacker to get remote code execution as the ‘nobody’ user on the NAS. The user has access to private files that normally would require authentication. “
QNAP noted that the Netatalk vulnerabilities impact the following operating system versions –
- QTS 5.0.x and later
- QTS 4.5. 4 and later
- QTS 4.3. 6 and later
- QTS 4.3. 4 and later
- QTS 4.3. 3 and later
- QTS 4.2. 6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5. 4 and later, and
- QuTScloud c5.0.x
Until the updates are available, the Taiwanese company is recommending users to disable AFP. The flaws have been patched so far in QTS 4.5.4. 2012 build 20220419 and later.
The disclosure comes less than one week after QNAP stated that it is investigating the product line for possible impact due to two security flaws in Apache HTTP Server last month.