Security News > 2022 > April > QNAP warns of new bugs in its Network Attached Storage devices
QNAP, the makers of Networked Attached Storage devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company's products.
QNAP hasn't yet pushed out the HTTP Server 2.4.53 update to its own devices, although it is now warning that two of the bugs that were fixed, CVE-2022-22721 and CVE-2022-23943, do affect some of its products.
Exploiting those bugs relies on features in the HTTP Server code that are not enabled by default on QNAP devices, and that you can easily turn off temporarily if you have enabled them.
QNAP has advice on how to prevent your NAS device from receiving connections from the public internet by mistake, thus preventing your device from being accessed or even discovered in the first place.
Perform a similar check for all the devices on your network, just in case you have other private devices that can inadvertently be "Tickled" from the internet.
UPnP sounds very useful, because it's designed to allow routers to reconfigure themselves automatically to make setting up new devices easier.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-03-14 | CVE-2022-23943 | Out-of-bounds Write vulnerability in multiple products Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data. | 9.8 |
| 2022-03-14 | CVE-2022-22721 | Integer Overflow or Wraparound vulnerability in multiple products If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes. | 9.1 |