Security News

QNAP, the makers of Networked Attached Storage devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company's products. QNAP hasn't yet pushed out the HTTP Server 2.4.53 update to its own devices, although it is now warning that two of the bugs that were fixed, CVE-2022-22721 and CVE-2022-23943, do affect some of its products.

Network-attached storage appliance maker QNAP on Thursday said it's investigating its lineup for potential impact arising from two security vulnerabilities that were addressed in the Apache HTTP server last month. The critical flaws, tracked as CVE-2022-22721 and CVE-2022-23943, are rated 9.8 for severity on the CVSS scoring system and impact Apache HTTP Server versions 2.4.52 and earlier -.

QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage devices. The flaws were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.

Taiwanese hardware vendor QNAP urged customers on Monday to disable Universal Plug and Play port forwarding on their routers to prevent exposing their network-attached storage devices to attacks from the Internet. UPnP Port Forwarding allows network devices to communicate seamlessly and create groups for easier data sharing.

Customers of Taiwan-based QNAP Systems are in a bit of limbo, waiting until the company releases a patch for an OpenSSL bug that the company has warned affects most of its network-attached storage devices. Though the bug - tracked as CVE-2022-0778 and rated 7.5 on the CVSS severity-rating scale - has been patched by OpenSSL, QNAP hasn't gotten around to applying a fix yet for its NAS devices affected by the vulnerability.

Taiwanese company QNAP this week revealed that a selected number of its network-attached storage appliances are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library. "An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS," the company said in an advisory published on March 29, 2022.

Taiwan-based network-attached storage maker QNAP warned on Tuesday that most of its NAS devices are impacted by a high severity OpenSSL bug disclosed two weeks ago. Attackers can exploit the vulnerability, tracked as CVE-2022-0778, to trigger a denial of service state and remotely crash unpatched devices.

DeadBolt ransomware has resurfaced in a new wave of attacks on QNAP that begin in mid-March and signals a new targeting of the Taiwan-based network-attached storage devices by the fledgling threat, researchers said. Researchers from Censys, which provides attack-surface management solutions, said they observed DeadBolt infections on QNAP gear ramp up slowly starting March 16, with a total of 373 infections that day.

Network-attached storage appliance maker QNAP on Monday warned of a recently disclosed Linux vulnerability affecting its devices that could be abused to elevate privileges and gain control of affected systems. "A local privilege escalation vulnerability, also known as 'Dirty Pipe,' has been reported to affect the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x," the company said.

Dirty Pipe, a recently reported local privilege escalation vulnerability, affects the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, QNAP advised. QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS. QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS. QNAP NAS running QTS 4.x aren't affected.