Network attached storage (NAS) device vendors QNAP and Synology this week disclosed multiple critical vulnerabilities in an open source fileserver technology integrated into their products.
The vulnerabilities — several of which enable remote code execution (RCE) — exist in Netatalk, an open source version of Apple File Protocol fileserver for accessing network shares in multiple operating system environments. Both vendors are still working on updating all versions of their products that contain the vulnerability.
Unpatched for Months
Security researchers working in coordination with the Zero Day Initiative (ZDI) reported a total of six vulnerabilities to the maintainers of Netatalk in December. Three of them are critical RCE bugs tied to buffer-overflow issues (CVE-2022-0194; CVE-2022-23122; CVE-2022-23125). Two of the flaws are medium-severity out-of-bounds information-disclosure vulnerabilities (CVE-2022-23124; CVE-2022-23123), and one is a critical RCE issue tied to improper handling of exceptional conditions (CVE-2022- 23121).
Brian Gorenc, senior director of vulnerability research and head of ZDI at Trend Micro, tells Dark Reading that all the Netatalk bugs were first discovered at Pwn2Own Austin in November 2021.
Another flaw, a high-severity buffer-overflow related RCE (CVE-2021-31439), was disclosed to Netatalk’s maintainers all the way back in March 2021.
The development team at Netatalk released an updated version of the software (Netatalk 3.1.13) on March 23 that addressed all seven of the vulnerabilities. The updated version is available for all currently supported operating systems: FreeBSD, Linux, OpenBSD, NetBSD, and Solaris and derivatives.
However, it’s a longer timeline for some vendors to roll the patches into their products. ZDI’s Gorenc says that because Netatalk is a third-party component used by many NAS vendors, the vendors are responsible for monitoring for releases of Netatalk and integrating these releases into their products. “We are glad to see the NAS vendors updating their Netatalk deployments to resolve the vulnerabilities that were disclosed and fixed at Pwn2Own Austin,” he says.
Western Digital is another vendor whose products were impacted by the flaws in Netatalk. But unlike Synology and QNAP, Western Digital proactively removed Netatalk from its products on Jan. 10, 2022, citing concerns over multiple critical vulnerabilities in the technology.
“Because Netatalk is unmaintained, we have removed Netatalk from our firmware released on January 10, 2022,” the company announced in March. “Users can continue to access local network shares and perform Time Machine backup via SMB.”
Synology’s advisory described the vulnerabilities as critical and allowing remote attackers to steal sensitive data. Bad actors could potentially execute arbitrary code on NAS devices via a vulnerable version of its DiskStation Manager (DSM) and Synology Router Manager (SRM) technologies.
QNAP identified multiple versions of its QTS operating system as being vulnerable and said it is currently investigating the flaws. The company said that it’s working on releasing updates to all impacted products, and it urged customers to install the updates as soon as they become available.
The Taiwan-based NAS manufacturer also outlined steps that organizations can take to mitigate the risk posed by the vulnerabilities while it works on fixes. QNAP’s advisory identified CVE-2021-31439 — the flaw from last March — as one of the issues that it still needs to address in its products even though it was disclosed more than one year ago.