NAS servers such as Synology and QNAP support AFP (Apple Filing Protocol) via Netatalk software. This software is an open-source implementation that allows Unix and BSD-based operating systems the ability to act as AppleShare servers for macOS clients. In this way, they can easily and quickly access all the files stored on Synology NAS devices. Next, we are going to explain how it affects you and why you should be very attentive to the next updates from Synology and QNAP.
Critical vulnerabilities in Netatalk
A number of critical vulnerabilities have been discovered in the Netatalk software that could allow a remote attacker to obtain sensitive information from the NAS server, and execute arbitrary code. This means that a possible attacker would be able to access the NAS server and all the files, as well as being able to execute any command with administrator permissions, so it is a critical security flaw that must be resolved as soon as possible.
The Netatalk development team has already fixed these security flaws in its latest version 3.1.13, this version was released on March 22, so it is now necessary for manufacturers such as QNAP and Synology to release updates to their operating system, Since this software is built into your operating system by default, it is not an additional application that we can install through the app store.
If you do not have the AFP protocol of the NAS activated, you do not run any risk, because the software with the vulnerability is not found to be working. In the case of using AFP because you have macOS, then the most important recommendation is the following: disable this feature until a patch is available.
Affected Synology NAS
All Synology NAS servers except those with the new DSM version 7.1-42661-1 or higher are at risk. Any operating system based on DSM 7.0 or DSM 6.2 has the Netatalk version vulnerable, and there is no firmware update for this operating system from the manufacturer yet. Also, it affects not only Synology NAS, but also its routers using SRM 1.2 version, as we have this AFP protocol built into them.
Affected operating systems:
- DSM 7.0
- DSM 6.2
- VS Firmware 2.3
- SRM 1.2
The manufacturer Synology has not indicated when we will have the new versions of the operating system with the “good” version, but they have promised that it will be done within the usual 90 days after the software fixes the vulnerability, so it could still take several weeks until that the manufacturer launches the corresponding updates.
Affected QNAP NAS
The manufacturer QNAP has released a new version of the QTS operating system, specifically version QTS 4.5.4.2012 build 20220419 and later fixes these Netatalk security flaws. However, the QTS 5.X and QuTS hero 5.X branch operating systems have not yet received the corresponding update, so if you have a QNAP NAS you should be very attentive to this, and update the operating system as soon as possible. . Any QNAP NAS with the following operating systems is affected:
- QTS 5.0.x and later
- QTS 4.5.4 (only with the new version 2012 the bug is fixed)
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
QNAP is currently investigating this issue and will release a QTS 5.X branch update to all users in the next few days, meanwhile, they recommend disabling the AFP protocol while receiving updates. To disable it, we simply have to go to “Control Panel> Network and File Services> Win/Mac/NFS/WebDAV> Apple Networks” and select “Disable AFP”. The manufacturer has also stated that it is working on addressing the Linux Dirty Pipe vulnerability that came out a few weeks ago, which can cause DoS and crashes remotely. In addition, they also have to release an update to mitigate a couple of critical Apache server bugs. Therefore, the next QNAP update is very important.
