QNAP Confirms New Critical Flaws Affecting Some Network-Attached Storage Devices
Last week, QNAP published a security advisory to warn customers about new critical flaws in an open-source fileserver technology integrated into its network-attached storage (NAS) devices. The company has advised customers to look out for updates to address the vulnerabilities affecting some of its products.
QNAP explained in its advisory that these flaws exist in Netatalk. It is a free open source version of Apple Filing Protocol (AFP) used to share files between clients and servers. Specifically, AFP enables macOS clients to access data stored on NAS devices. The company says that this outdated file access protocol is still being used because it supports various macOS attributes not found in other protocols.
It is important to note that Netatalk released an update (v3.1.13) to patch all the security issues in March. QNAP confirmed that it has already addressed the Netatalk flaws in QTS 220.127.116.112 build 20220419 and later. However, these vulnerabilities still impact several older versions of its QTS operating system. The list includes:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
QNAP advises users to temporarily disable AFP
The company is currently investigating the security vulnerabilities, and it’s planning to release updates for all impacted QNAP OS versions soon. “QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible.” QNAP explained.
In the meantime, QNAP is urging customers to disable AFP on QTS or QuTS hero NAS devices to mitigate the Netatalk vulnerabilities in their organization. To do so, head to the Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking. Finally, disable the “AFP (Apple Filing Protocol)” option.
More in Security
Atlassian Releases Patches for Critical Authentication Vulnerability in Jira Software
Feb 6, 2023 | Rabia Noureen
What is Microsoft Sentinel and How Does It Protect Cloud and On-Premises Resources?
Feb 2, 2023 | Mustafa Toroman
Microsoft Warns About New Consent-Phishing Attacks Used to Steal Data
Feb 1, 2023 | Rabia Noureen
Microsoft Defender for Endpoint Adds Device Isolation Support for Linux Machines
Jan 31, 2023 | Rabia Noureen
Git Releases New Security Updates to Block Remote Code Execution Attacks
Jan 18, 2023 | Rabia Noureen
PyTorch Discloses Internal Dependency Compromised with Malicious Code
Jan 4, 2023 | Rabia Noureen
Most popular on petri