QNAP to Fix Critical OpenSSL Bug Impacting NAS Devices
Taiwan-based QNAP Systems has confirmed a new OpenSSL bug that impacts most of its network-attached storage (NAS) devices. According to the company’s advisory, the security flaw leads to an infinite loop that would result in a denial-of-service (DoS) state.
The security vulnerability, tracked as CVE-2022-0778 and issued a CVSS “high” severity score of 7.5, has already been addressed by OpenSSL last month. However, QNAP has yet to release a security update to fix the issue in its NAS devices.
“An infinite loop vulnerability in OpenSSL has been reported to affect certain QNAP NAS. If exploited, the vulnerability allows attackers to conduct denial-of-service attacks,” QNAP explained in its security advisory. “Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available.”
OpenSSL is a popular cryptography library that provides an open-source application of the TLS protocol that makes network communication more secure. According to OpenSSL, the security flaw is present in the BN_mod_sqrt() function. We’ll spare you the technical details, but the threat actors could potentially create a certificate with invalid explicit curve parameters to trigger DoS states on the targetted device.
QNAP says the OpenSSL bug impacting most of its NAS devices
In its security advisory, QNAP confirmed that the OpenSSL bug affects the following NAS devices:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
QNAP is currently investigating the OpenSSL bug, but it has yet to find any evidence that attackers are actively exploiting the vulnerability. Meanwhile, the company is also working to patch the critical “Dirty Pipe” Linux kernel flaw on devices running the QuTScloud OS. It enables attackers to overwrite data in arbitrary read-only files, which leads to privilege escalation on affected machines.
More in Security
FireCompass Raises $7 Million to Improve its CART and ASM Capabilities
Feb 7, 2023 | Laurent Giret
Microsoft Purview Adds Adaptive Protection to Dynamically Mitigate Risks
Feb 7, 2023 | Rabia Noureen
Atlassian Releases Patches for Critical Authentication Vulnerability in Jira Software
Feb 6, 2023 | Rabia Noureen
What is Microsoft Sentinel and How Does It Protect Cloud and On-Premises Resources?
Feb 2, 2023 | Mustafa Toroman
Microsoft Warns About New Consent-Phishing Attacks Used to Steal Data
Feb 1, 2023 | Rabia Noureen
Microsoft Defender for Endpoint Adds Device Isolation Support for Linux Machines
Jan 31, 2023 | Rabia Noureen
Most popular on petri