QNAP and other network storage makers issue security advisories on OpenSSL flaws

QNAP issues security advisories on OpenSSL flaws

QNAP Systems, Inc. (QNAP) and other network storage makers have issued security advisories for OpenSSL remote code execution (RCE) and denial-of-service (DoS) vulnerabilities that impact its network-attached storage (NAS) devices.

CVE-2021-3711 and CVE-2021-3712 (RCE)

In the first advisory, QNAP reported two out-of-bounds vulnerabilities in OpenSSL that affect QNAP NAS running HBS 3 (Hybrid Backup Sync).

A remote attacker could exploit these vulnerabilities (CVE-2021-3711 and CVE-2021-3712) to execute arbitrary code with the permissions of the user running the application.

According to an OpenSSL advisory previously issued August 24, 2021, CVE-2021-3711 is a bug in the implementation of the SM2 decryption code and is rated High severity (CVSS score of 8.1). The other Moderate-rated bug CVE-2021-3712 is related to how the read buffer overruns processing ASN.1 strings.

Other storage makers Synology and NetApp have also issued alerts on the OpenSSL vulnerabilities.

CVE-2021-3712 (DoS)

In the second advisory, QNAP reported one out-of-bounds read vulnerability in OpenSSL that affects QNAP NAS running QTS, QuTS hero, and QuTScloud.

A remote attacker could exploit the vulnerability (CVE-2021-3712) to disclose memory data or execute a denial-of-service (DoS) attack.

For each of the OpenSSL issues, QNAP said it “is thoroughly investigating the case” and will provide further information as soon as possible.

Related Articles