The OpenSSL vulnerability
QNAP, which is the manufacturer of network-attached storage (NAS) appliances, has begun examining two newly discovered security vulnerabilities in OpenSSL to assess their effect and has announced that it would issue security patches if any of its devices are shown to be vulnerable.
The flaws under examination have been tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), and may be exploited by adversaries to execute arbitrary code, perform denial-of-service attacks, or gain access to private memory contents, such as private keys or plaintext.
According to the information that is available, CVE-2021-3711 is a vulnerability that is related to a high-severity buffer overflow in SM2 decryption function while the CVE-2021-3712 flaw is a weakness that stems from a buffer overrun issue that occurs when processing ASN.1 strings.
As per the CVE-2021-3711 advisory, if a malicious actor is able to present SM2 content for decryption to a specific application, any data he chooses may intentionally overflow a buffer by up to 62 bytes, potentially affecting the contents of additional data stored after the buffer, causing a crash of the application or changing its behavior.
On 24th of August, the widely used open-source cryptographic library OpenSSL responded to the problem by addressing it with a release of versions OpenSSL 1.1.1l and 1.0.2za.
In the meantime, NetApp came with a list of products that seem to be affected by the two vulnerabilities. While the company keeps testing the rest of the products from its lineup, the full list of the ones that have been confirmed to be vulnerable can be checked here.
In relation to the recent revelations, Synology, another leading NAS manufacturer, has also started an investigation of its products line to check if the two reported flaws are affecting some of its products.
According to the company’s advisory, many security holes enable remote attackers to execute arbitrary code or perform denial-of-service attacks through a vulnerable version of the Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server and VPN Server.
OpenSSL, the underpinning technology of many products, was previously known to be vulnerable to attack, and many other firms, whose products depend on OpenSSL, including big names like Red Hat, SUSE, Debian and Ubuntu, have also issued security advisories.