QNAP Confirms New Critical Flaws Affecting Some Network-Attached Storage Devices

Last week, QNAP published a security advisory to warn customers about new critical flaws in an open-source fileserver technology integrated into its network-attached storage (NAS) devices. The company has advised customers to look out for updates to address the vulnerabilities affecting some of its products.

QNAP explained in its advisory that these flaws exist in Netatalk. It is a free open source version of Apple Filing Protocol (AFP) used to share files between clients and servers. Specifically, AFP enables macOS clients to access data stored on NAS devices. The company says that this outdated file access protocol is still being used because it supports various macOS attributes not found in other protocols.

It is important to note that Netatalk released an update (v3.1.13) to patch all the security issues in March. QNAP confirmed that it has already addressed the Netatalk flaws in QTS 4.5.4.2012 build 20220419 and later. However, these vulnerabilities still impact several older versions of its QTS operating system. The list includes:

• QTS 5.0.x and later
• QTS 4.5.4 and later
• QTS 4.3.6 and later
• QTS 4.3.4 and later
• QTS 4.3.3 and later
• QTS 4.2.6 and later
• QuTS hero h5.0.x and later
• QuTS hero h4.5.4 and later
• QuTScloud c5.0.x

QNAP advises users to temporarily disable AFP

The company is currently investigating the security vulnerabilities, and it’s planning to release updates for all impacted QNAP OS versions soon. “QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible.” QNAP explained.

In the meantime, QNAP is urging customers to disable AFP on QTS or QuTS hero NAS devices to mitigate the Netatalk vulnerabilities in their organization. To do so, head to the Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking. Finally, disable the “AFP (Apple Filing Protocol)” option.