QNAP

Taiwan-based network-attached storage (NAS) maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago.

Attackers can exploit the vulnerability, tracked as CVE-2022-0778, to trigger a denial of service state and remotely crash unpatched devices.

Although a patch was released two weeks ago when the bug was publicly disclosed, QNAP explained that its customers would have to wait until the company released its own security updates.

It also urged customers to install any security patches it releases as soon as they are released to block potential attacks.

"An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS. If exploited, the vulnerability allows attackers to conduct denial-of-service attacks," QNAP said.

"Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available."

The company says that the security flaw impacts devices running multiple versions of QTS, QuTS hero, and QuTScloud, including:

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later
  • QuTScloud c5.0.x

Even though the OpenSSL team told BleepingComputer that they are not aware of CVE-2022-0778 active exploitation, a security advisory issued by Italy's national cybersecurity agency, CSIRT, tagged it as being abused in the wild.

"The flaw is not too difficult to exploit, but the impact is limited to DoS. The most common scenario where exploitation of this flaw would be a problem would be for a TLS client accessing a malicious server that serves up a problematic certificate," an OpenSSL spokesperson told BleepingComputer.

"TLS servers may be affected if they are using client authentication (which is a less common configuration) and a malicious client attempts to connect to it. It is difficult to guess to what extent this will translate to active exploitation."

While there's mixed info regarding ongoing exploitation, threat actors might likely develop a usable exploit and deploy it in attacks if they find NAS devices appealing targets, especially given that they can exploit the flaw in low complexity attacks without user interaction.

QNAP is also working on patching up security holes left by a high severity Linux security flaw dubbed Dirty Pipe, enabling threat actors with local access to gain root privileges on devices running QTS 5.0.x, QuTScloud c5.0.x, and QuTS hero h5.0.x.

Since the initial warning from two weeks ago, QNAP fixed the Dirty Pipe bug for devices running QuTS hero h5.0.0.1949 build 20220215 and later and promised to release patches for QTS and QuTScloud as soon as possible.

Related Articles:

QNAP warns of critical auth bypass flaw in its NAS devices

CISA urges software devs to weed out path traversal vulnerabilities

FBI warns against using unlicensed crypto transfer services

Over 1,400 CrushFTP servers vulnerable to actively exploited bug

Microsoft pulls fix for Outlook bug behind ICS security alerts