QNAP Systems, Inc. (QNAP) and other network storage makers have issued security advisories for OpenSSL remote code execution (RCE) and denial-of-service (DoS) vulnerabilities that impact its network-attached storage (NAS) devices.
CVE-2021-3711 and CVE-2021-3712 (RCE)
In the first advisory, QNAP reported two out-of-bounds vulnerabilities in OpenSSL that affect QNAP NAS running HBS 3 (Hybrid Backup Sync).
A remote attacker could exploit these vulnerabilities (CVE-2021-3711 and CVE-2021-3712) to execute arbitrary code with the permissions of the user running the application.
According to an OpenSSL advisory previously issued August 24, 2021, CVE-2021-3711 is a bug in the implementation of the SM2 decryption code and is rated High severity (CVSS score of 8.1). The other Moderate-rated bug CVE-2021-3712 is related to how the read buffer overruns processing ASN.1 strings.
Other storage makers Synology and NetApp have also issued alerts on the OpenSSL vulnerabilities.
CVE-2021-3712 (DoS)
In the second advisory, QNAP reported one out-of-bounds read vulnerability in OpenSSL that affects QNAP NAS running QTS, QuTS hero, and QuTScloud.
A remote attacker could exploit the vulnerability (CVE-2021-3712) to disclose memory data or execute a denial-of-service (DoS) attack.
For each of the OpenSSL issues, QNAP said it “is thoroughly investigating the case” and will provide further information as soon as possible.