In the last few weeks we have seen some security vulnerabilities affecting QNAP and Synology devices . They are flaws that allow an attacker to cause crashes or execute arbitrary code. They could even access the contents of private memory and steal passwords or confidential information. Now, have you fixed these vulnerabilities? The truth is that both brands are still working on it.
No updates for QNAP and Synology
As of this writing, both QNAP and Synology continue to work on releasing updates as soon as possible for users with NAS that are vulnerable to these security flaws. However, it has not yet been corrected and therefore the teams are still in danger.
In the case of QNAP, there are two security flaws recorded as CVE-2021-3711 and CVE-2021-3712 . These vulnerabilities affect NAS devices running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync.
The first vulnerability is based on the buffer overflow in the SM2 algorithm. This can cause crashes or remote code execution. In the case of the second failure, it is due to read buffer overflow during ASN.1 string processing. They can also use it to block applications or access private memory.
It should be noted that these are OpenSSL failures that affect QNAP devices. Since OpenSSL they have already corrected the problem when launching OpenSSL 1.1.1l a few days ago. However, QNAP continues to work on being able to release patches for its users as soon as possible.
Remote access and denial of service
In the case of Synology, which has several affected devices such as DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server and VPN Server, it has not released updates to correct the problem at the moment. They ensure that they are working and that these patches are in progress so that, in the shortest possible time, users can apply them.
Synology devices have been affected by the two vulnerabilities that also put QNAP NAS at risk and that, for now, do not have the necessary patches to correct them and work without any security risk.
An attacker could remotely perform denial of service attacks and run arbitrary code using a vulnerable version of Synology DiskStation Manager, Synology Router Manager, VPN Plus Server, or VPN Server.
Therefore, in both cases we are still waiting for security updates that can correct the problem. Both QPAN and Synology are working on being able to offer their customers these patches that correct the vulnerabilities as soon as possible. You can see some tips to protect a NAS.
From this article we always recommend applying all the updates and security patches that are available. It is the best measure to ensure that any device connected to the network is protected and does not have any flaws that could allow an attacker to infect with malware, enter the computer or execute any action remotely. But of course, sometimes we can have problems for these updates if we use obsolete devices or, as in the case that we have seen in this article, that they take time to arrive.