Security News > 2021 > August > QNAP works on patches for OpenSSL bugs impacting its NAS devices
Network-attached storage maker QNAP is investigating and working on security updates to address remote code execution and denial-of-service vulnerabilities patched by OpenSSL last week.
The security flaws tracked as CVE-2021-3711 and CVE-2021-3712, impact QNAP NAS device running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync, according to advisories [1, 2] published earlier today.
While the OpenSSL development team published OpenSSL 1.1.1l to address the flaws a week ago, on August 24, QNAP did not provide an estimated time of arrival for incoming security updates.
Last week, Taiwan-based NAS maker Synology also said multiple models in its NAS line are affected by the same two security flaws.
Earlier this month, Palo Alto Networks' Unit 42 revealed that a newly discovered eCh0raix ransomware variant had added support for encrypting both QNAP and Synology NAS devices.
One month earlier, QNAP fixed a critical HBS 3 security vulnerability that enabled attackers to escalate privileges, read sensitive info without authorization, or execute commands remotely.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-24 | CVE-2021-3712 | Out-of-bounds Read vulnerability in multiple products ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. | 7.4 |
| 2021-08-24 | CVE-2021-3711 | Classic Buffer Overflow vulnerability in multiple products In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). | 9.8 |