Security News > 2022 > April > QNAP warns of new bugs in its Network Attached Storage devices

QNAP warns of new bugs in its Network Attached Storage devices
2022-04-22 18:15

QNAP, the makers of Networked Attached Storage devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company's products.

QNAP hasn't yet pushed out the HTTP Server 2.4.53 update to its own devices, although it is now warning that two of the bugs that were fixed, CVE-2022-22721 and CVE-2022-23943, do affect some of its products.

Exploiting those bugs relies on features in the HTTP Server code that are not enabled by default on QNAP devices, and that you can easily turn off temporarily if you have enabled them.

QNAP has advice on how to prevent your NAS device from receiving connections from the public internet by mistake, thus preventing your device from being accessed or even discovered in the first place.

Perform a similar check for all the devices on your network, just in case you have other private devices that can inadvertently be "Tickled" from the internet.

UPnP sounds very useful, because it's designed to allow routers to reconfigure themselves automatically to make setting up new devices easier.


News URL

https://nakedsecurity.sophos.com/2022/04/22/qnap-warns-of-new-bugs-in-its-network-attached-storage-devices/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-14 CVE-2022-23943 Out-of-bounds Write vulnerability in multiple products
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker provided data.
network
low complexity
apache fedoraproject debian oracle CWE-787
critical
9.8
2022-03-14 CVE-2022-22721 Integer Overflow or Wraparound vulnerability in multiple products
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens which later causes out of bounds writes.
network
low complexity
apache fedoraproject debian oracle apple CWE-190
critical
9.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Qnap 96 16 126 133 34 309