Security News > 2022 > March > QNAP warns severe OpenSSL bug affects most of its NAS devices
Taiwan-based network-attached storage maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago.
Attackers can exploit the vulnerability, tracked as CVE-2022-0778, to trigger a denial of service state and remotely crash unpatched devices.
Although a patch was released two weeks ago when the bug was publicly disclosed, QNAP explained that its customers would have to wait until the company released its own security updates.
"An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS. If exploited, the vulnerability allows attackers to conduct denial-of-service attacks," QNAP said.
While there's mixed info regarding ongoing exploitation, threat actors might likely develop a usable exploit and deploy it in attacks if they find NAS devices appealing targets, especially given that they can exploit the flaw in low complexity attacks without user interaction.
QNAP is also working on patching up security holes left by a high severity Linux security flaw dubbed Dirty Pipe, enabling threat actors with local access to gain root privileges on devices running QTS 5.0.x, QuTScloud c5.0.x, and QuTS hero h5.0.x. Since the initial warning from two weeks ago, QNAP fixed the Dirty Pipe bug for devices running QuTS hero h5.0.0.1949 build 20220215 and later and promised to release patches for QTS and QuTScloud as soon as possible.
News URL
Related news
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-15 | CVE-2022-0778 | Infinite Loop vulnerability in multiple products The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. | 7.5 |