QNAP NAS owners are under attack once again

By Scott Marlette Last updated Apr 22, 2022

New vulnerabilities have been discovered in QNAP network-attached storage (NAS) devices, the company has confirmed.

As reported by BleepingComputer, the vulnerabilities – tracked as CVE-2022-22721, and CVE-2022-23943 – have both been awarded a severity score of 9.8/10. Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs can be used to perform low complexity attacks that don’t require victim interaction.

QNAP has warned NAS owners to apply known mitigations, as a full patch is not yet available.

Mitigation available, patch pending

“We are thoroughly investigating the two vulnerabilities that affect QNAP products, and will release security updates as soon as possible,” the company said.

“CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device.”

While we await a full patch, QNAP has advised customers to keep the default value “1M” for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.

QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.

In the same announcement, QNAP revealed that it’s hard at work fixing “Dirty Pipe”, a high severity Linux vulnerability that was recently discovered.

Dirty Pipe affects NAS devices running multiple versions of QTS, QuTS hero, and QuTScloud, and allows threat actors to trigger denial of service (DoS) attacks, or crash endpoints remotely.

The Linux kernel team patched Dirty Pipe as soon as its existence was confirmed. A security update has been rolled out to all affected Linux versions, while Google also updated the Android operating system.

If left unpatched on vulnerable systems, Dirty Pipe can be exploited by an attacker to gain complete control over affected computers and smartphones. With this access, they would be able to read users’ private messages, compromise banking apps and more.

Via BleepingComputer

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.