Security News > 2021 > August > QNAP Is Latest to Get Dinged by OpenSSL Bugs Fallout

QNAP Is Latest to Get Dinged by OpenSSL Bugs Fallout
2021-08-31 15:08

On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service bugs, fixed last week, that affect its network-attached storage devices.

Many popular open-source programming libraries that support it - including OpenSSL, LibreSSL and BoringSSL, "Have kept old-school product names for the sake of familiarity," Ducklin commented in a recent drilldown into the OpenSSL bugs.

QNAP on Monday joined a parade of organizations whose products rely on OpenSSL and which are either investigating the flaws or have already released security advisories, including Linux distributions such as Red Hat, Ubuntu, SUSE, Debian and Alpine Linux.

It turns out that the OpenSSL vulnerabilities affect QNAP NAS devices running the HBS 3 Hybrid Backup Sync data backup and disaster recovery tool, the QTS GUI, the QuTS hero operating system, and QuTScloud, which is an operating system for QNAP Cloud NAS virtual appliances.

"So the bug is in there, down in the low-level OpenSSL libcrypto code, but if you use OpenSSL at the TLS level to make or accept secure connections, we don't think you can open up a session in which the buggy code could be triggered."

Both of the OpenSSL bugs were fixed in OpenSSL 1.1.1l on Tuesday of last week.


News URL

https://threatpost.com/qnap-openssl-bugs/169054/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Qnap 79 4 95 122 76 297
Openssl 1 7 48 51 13 119