QNAP works on patches for OpenSSL bugs impacting its NAS Devices

Introduction:

QNAP’s Network Attached Storage (NAS) are systems that consist of one or more hard drives that are constantly connected to the internet. The QNAP becomes the backup “hub”, or storage unit that stores all the important files and media such as photos, videos and music.

A NAS system is a storage device connected to a network that allows storage and retrieval of data from a centralized location for authorized network users and heterogeneous clients. NAS systems are flexible and scale-out, meaning that as you need additional storage, you can add on to what you have.

Over 2,370 companies that use Qnap. The companies using Qnap are most often found in United States and in the Computer Software industry. Qnap is most often used by companies with 10-50 employees and 1M-10M dollars in revenue.

QNAP Systems, Inc. that specializes in Network-attached storage (NAS) appliances is thoroughly focusing on the release of security updates in order to tackle two OpenSSL vulnerabilities that are impacting its NAS devices.

According to QNAP, the company is investigating the case and patches will be released as soon as possible.

OpenSSL, a widely used open-source cryptographic library that provides encrypted connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), addressed the issues in versions OpenSSL 1.1.1l and 1.0.2za

Impact’s:                                                                    

QNAP explains that the vulnerabilities can be exploited to enable remote attackers to read data in the memory of the affected device, trigger a denial-of-service (DoS) attack, or run arbitrary code with the same permissions as that of the user running the HBS 3 app.

This flaw, Impact QNAP NAS device running QTS, QuTS hero, QuTScloud operating system, as well as the Hybrid Backup Sync (HBS 3) data backup and disaster recovery solution.

Security flaw’s:

The security flaws tracked as CVE-2021-3711 and CVE-2021-3712:

  • CVE-2021-3711 – OpenSSL SM2 decryption buffer overflow
  • CVE-2021-3712 – Read buffer overruns processing ASN.1 strings

The heap-based buffer overflow in the SM2 cryptographic algorithm behind CVE-2021-3711 would likely lead to crashes but can also be abused by attackers for arbitrary code execution.

The CVE-2021-3712 vulnerability is caused by a read buffer overrun weakness while processing ASN.1 strings. Threat actors can exploit it to crash vulnerable apps or gain access to private memory contents such as private keys or similar sensitive info.

Remediation:

In order to test if you’re vulnerable and assess the potential damage, here are some steps to take:

  • Test the systems for OpenSSL v1.0.1–1.0.1f. See “Affected Devices and Sites” above.
  • If vulnerable, assess what information may have been compromised. Most organizations should assume that any information present on the system and accessed by the application using OpenSSL is suspect.
  • Revoke existing SSL certificates and reissue new certificates. Attackers may have been able to retrieve SSL certificate private keys, which could allow them to impersonate the service and/or decrypt any future traffic. Don’t generate the new certificates using the old private key. Make sure to create a new private and use that new private key to create the new certificate signing request (CSR).
  • Perform clean-up activities: For example, if the system provides secure logons, reset user passwords and notify them; if sensitive documents were available to the service, involve the legal counsel; assess the regulatory and contractual compliance obligations; etc.
  • Get a patch from the vendor if available. Most Linux distribution vendors have been publishing updated packages (Fedora, RedHat, CentOS, Debian, etc); check with the application or operating system vendor.
  • Affected users should upgrade to OpenSSL
  • If OpenSSL have obtained separate from a product and have access to the source code, turn off TLS heartbeats.
  • Update the IPS and firewall signatures and enable Heartbleed signatures. If the vendor doesn’t provide signatures for Heartbleed, contact them.