QNAP works on patches for OpenSSL vulnerabilities impacting its NAS devices

The OpenSSL vulnerability

QNAP, which is the manufacturer of network-attached storage (NAS) appliances, has begun examining two newly discovered security vulnerabilities in OpenSSL to assess their effect and has announced that it would issue security patches if any of its devices are shown to be vulnerable.

Qnap Nas

The flaws under examination have been tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), and may be exploited by adversaries to execute arbitrary code, perform denial-of-service attacks, or gain access to private memory contents, such as private keys or plaintext.

According to the information that is available, CVE-2021-3711 is a vulnerability that is related to a high-severity buffer overflow in SM2 decryption function while the CVE-2021-3712 flaw is a weakness that stems from a buffer overrun issue that occurs when processing ASN.1 strings.

As per the CVE-2021-3711 advisory, if a malicious  actor is able to present SM2 content for decryption to a specific application, any data he chooses may intentionally overflow a buffer by up to 62 bytes, potentially affecting the contents of additional data stored after the buffer, causing a crash of the application or changing its behavior.

On 24th of August, the widely used open-source cryptographic library OpenSSL responded to the problem by addressing it with a release of versions OpenSSL 1.1.1l and 1.0.2za.

In the meantime, NetApp came with a list of products that seem to be affected by the two vulnerabilities. While the company keeps testing the rest of the products from its lineup, the full list of the ones that have been confirmed to be vulnerable can be checked here.

In relation to the recent revelations, Synology, another leading NAS manufacturer, has also started an investigation of its products line to check if the two reported flaws are affecting some of its products.

According to the company’s advisory, many security holes enable remote attackers to execute arbitrary code or perform denial-of-service attacks through a vulnerable version of the Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server and VPN Server.

OpenSSL, the underpinning technology of many products, was previously known to be vulnerable to attack, and many other firms, whose products depend on OpenSSL, including big names like Red Hat, SUSE, Debian and Ubuntu, have also issued security advisories.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment