Security News > 2022 > April > QNAP warns users to disable AFP until it fixes critical bugs
Taiwanese corporation QNAP has asked customers this week to disable the AFP file service protocol on their network-attached storage appliances until it fixes multiple critical Netatalk vulnerabilities.
On QNAP NAS devices, AFP allows macOS systems to access data on the NAS. According to QNAP, it's still used because it "Supports many unique macOS attributes that are not supported by other protocols."
Three of the other bugs QNAP warned its customers about also received 9.8/10 severity ratings, all of them also allowing unauthenticated attackers to execute arbitrary code remotely without requiring authentication on unpatched devices.
QuTScloud c5.0.x. "QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible," the NAS maker said.
"To mitigate these vulnerabilities, disable AFP. We recommend users to check back and install security updates as soon as they become available."
To disable AFP on your QTS or QuTS hero NAS device, you will have to go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking and select Disable AFP. QNAP is also working on addressing a Linux vulnerability dubbed 'Dirty Pipe' actively exploited in attacks that allows gaining root privileges and a high severity OpenSSL bug that can lead to denial of service states and remote crashes.