Security News > 2022 > March > QNAP Customers Adrift, Waiting on Fix for OpenSSL Bug
Customers of Taiwan-based QNAP Systems are in a bit of limbo, waiting until the company releases a patch for an OpenSSL bug that the company has warned affects most of its network-attached storage devices.
Though the bug - tracked as CVE-2022-0778 and rated 7.5 on the CVSS severity-rating scale - has been patched by OpenSSL, QNAP hasn't gotten around to applying a fix yet for its NAS devices affected by the vulnerability.
As the company readies a fix for the OpenSSL flaw, it's also working on another patch for the so-called Dirty Pipe Linux kernel flaw discovered earlier this month, which also currently has no mitigation on QNAP NAS devices.
The flaw, a local privilege-escalation vulnerability, affects the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x. Attackers also have been pummeling QNAP devices with both ransomware and brute-force attacks since the beginning of the year, the latter of which prompted the vendor to urge customers to get their internet-exposed NAS devices off the internet.
In late January, QNAP forced out an unexpected and not entirely welcome update to its customers' NAS devices after warning them that the DeadBolt ransomware was mounting an offensive against them.
Just last week, reports surfaced that DeadBolt was at it again in a new wave of attacks against QNAP. The current OpenSSL scenario also is not the first time the vendor's devices were rattled by a flaw in the cryptography library.
News URL
https://threatpost.com/qnap-customers-adrift-fix-openssl-bug/179197/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-15 | CVE-2022-0778 | Infinite Loop vulnerability in multiple products The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. | 7.5 |