Network-attached storage (NAS) equipment maker QNAP on Wednesday stated it is engaged on updating its QTS and QuTS working techniques after Netatalk final month launched patches to include seven safety flaws in its software program.
On March 22, 2022, its maintainers launched model 3.1.13 of the software program to resolve main safety points — CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, and CVE-2022-0194 — that might be exploited to attain arbitrary code execution.
“This vulnerability [CVE-2022-23121] can be exploited remotely and does not need authentication,” NCC Group researchers famous final month. “It allows an attacker to get remote code execution as the ‘nobody’ user on the NAS. This user can access private shares that would normally require authentication.”
QNAP famous that the Netatalk vulnerabilities influence the next working system variations –
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later, and
- QuTScloud c5.0.x
Until the updates can be found, the Taiwanese firm is recommending customers to disable AFP. The flaws have been patched thus far in QTS 188.8.131.522 construct 20220419 and later.
The disclosure arrives lower than per week after QNAP stated it is investigating its product lineup for potential influence arising from two safety vulnerabilities that had been addressed within the Apache HTTP server final month.