Security News > 2021 > September > QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices
Network-attached storage appliance maker QNAP said it's currently investigating two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable.
"A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash," according to the advisory for CVE-2021-3711.
OpenSSL, a widely used open-source cryptographic library that provides encrypted connections using Secure Sockets Layer or Transport Layer Security, addressed the issues in versions OpenSSL 1.1.1l and 1.0.2za that were shipped on August 24.
The development follows days after NAS maker Synology also disclosed that it's opened an investigation into a number of models, comprising DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server, to check if they are affected by the same two flaws.
"Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack[s] or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager, Synology Router Manager, VPN Plus Server or VPN Server," the Taiwanese company said in an advisory.
Other companies whose products rely on OpenSSL have also released security bulletins, including -.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-08-24 | CVE-2021-3711 | Classic Buffer Overflow vulnerability in multiple products In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). | 9.8 |