![]() ![]() “We recommend users to check back and install security updates as soon as they become available. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible,” the NAS maker said. “QNAP is thoroughly investigating the case. Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 4. QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company’s cloud-optimized NAS operating system. The Netatalk development team addressed the security bugs in version 3.1.1, released on March 22, three months after the Pwn2Own 2021 hacking competition, where they were first disclosed and exploited. Netatalk is an AFP (short for Apple Filing Protocol) open-source implementation that allows systems running *NIX/*BSD to act as AppleShare file servers (AFP) for macOS clients (i.e., to access files stored on Synology NAS devices). “Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM),” Synology said. This also would allow the OP to spin up those packages (although theyd need to be the Github install rather than Synology package) on it. Three others, including CVE-2022- 23125, 23122, and 0194 also allow for arbitrary code execution.Synology has warned customers that some of its network-attached storage (NAS) appliances are exposed to attacks exploiting multiple critical Netatalk vulnerabilities. Or, a VM running Ubuntu is SUPER light on resources (as long as one uses server through CLI and not with a GUI), or raspberry pi OS (which can now run on a VM if the host runs an ARM processor). The flaw is tracked as CVE-2022-23121, with a high severity score, but isn’t the only flaw that Synology and QNAP have responded to. QNAP is working on mitigation, but for the time being recommends disabling AFP on affected machines. The Synology has netatalk configured out of the box so it can be seen in the network as an AFP share and can be used as a destination for TimeMachine. Synology is in the process of releasing patches for DSM, but if you’re on DSM 7.1 or later, patches are already released. The issue results from the lack of proper. The specific flaw exists within the processing of DSI structures in Netatalk. Authentication is not required to exploit this vulnerablity. However, to create a volume larger than 200 TB, a RAID 6 storage pool and at least 64 GB of system memory are still required. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation DS418play. ![]() This update automatically converts existing volumes that use the Btrfs (Peta Volume) file system to Btrfs. ![]() The issue was fixed in Netatlk version 3.1.1. Users can now create a Btrfs volume of up to 1 PB on specific Synology NAS models. Netatalk is an Apple Filing Protocol that allows for NIX or BSD systems to also work with AppleShare file servers via an open source implementation for MacOS clients. This affects some versions of the Synology DiskStation Manager or DSM, as well as the Synology Router Manager or SRM.įor QNAP this affects several versions of their QTS systems. Synology and QNAP are warning users that the critical Netatalk vulnerabilities can be exploited to allow remote attackers to access sensitive information and execute arbitrary code. If you have a network attached storage device from Synology or QNAP, listen up, this story is for you. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |