New vulnerabilities have been discovered in QNAP network-attached storage (NAS) devices, the company has confirmed.
As reported by BleepingComputer, the vulnerabilities – tracked as CVE-2022-22721, and CVE-2022-23943 – have both been awarded a severity score of 9.8/10. Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs can be used to perform low complexity attacks that don’t require victim interaction.
QNAP has warned NAS owners to apply known mitigations, as a full patch is not yet available.
Mitigation available, patch pending
“We are thoroughly investigating the two vulnerabilities that affect QNAP products, and will release security updates as soon as possible,” the company said.
“CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device.”
While we await a full patch, QNAP has advised customers to keep the default value “1M” for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.
QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
In the same announcement, QNAP revealed that it’s hard at work fixing “Dirty Pipe”, a high severity Linux vulnerability that was recently discovered.
Dirty Pipe affects NAS devices running multiple versions of QTS, QuTS hero, and QuTScloud, and allows threat actors to trigger denial of service (DoS) attacks, or crash endpoints remotely.
The Linux kernel team patched Dirty Pipe as soon as its existence was confirmed. A security update has been rolled out to all affected Linux versions, while Google also updated the Android operating system.
If left unpatched on vulnerable systems, Dirty Pipe can be exploited by an attacker to gain complete control over affected computers and smartphones. With this access, they would be able to read users’ private messages, compromise banking apps and more.