[German]Taiwanese manufacturer QNAP has provided firmware updates for its NAS systems that are supposed to fix the SMB root vulnerability (CVE-2021-44142) in SAMBA. Here are some notes on updating QTS 5.0.0 to close the vulnerability, published by manufacturer QNAP in a security advisory dated late January 2022. QNAP also warns about the CVE-2022-0336 vulnerability and recommends disabling SMBv1.
SAMBA vulnerability CVE-2021-44142
I had pointed out in the German blog post Schwachstelle CVE-2022-44142 in Samba that all versions of Samba prior to 4.13.17 are vulnerable to a heap read-write vulnerability CVE-2022-44142. The vulnerability allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfs_fruit.
QNAP fixes vulnerability
Blog reader Stefan K. contacted me by mail the other day (thanks for that) and pointed out that there were updates from QNAP again. The SMB root vulnerability CVE-2021-44142 has been fixed. QNAP has published these release notes for the firmware update QTS 188.8.131.522 build 20220129. This firmware has the following security fix.
Fixed SMB CVE-2021-44142 and some security issues.
QNAP has also fixed a number of bugs in the QTS 184.108.40.2062 build 20220129 firmware. According to the release note, the following bugs have been fixed.
- Network & Virtual Switch would highlight incorrect Ethernet ports on the device drawing after users installed network expansion cards on the TDS-16489U.
- Users could not enable Advanced Network Driver after migrating disks from one NAS to another NAS.
- Resource Monitor would not display swap memory usage for SSDs after a system restart.
- Users could not create storage pools or volumes with the M.2 SSDs installed on the QM2 expansion card.
- Users could not cancel or delete video transcoding tasks in File Station.
- Storage & Snapshots would not rebuild a RAID 1 group after users replaced a failed disk if the other disk was in the "warning" state.
- When users replaced a disk in a legacy volume to rebuild the volume, Storage & Snapshots would display the volume status as "Unmounted (Rebuilding)".
- The "@Recently-Snapshot" folder would contain more snapshots than Snapshot Manager. (Normally, they should contain the same number of snapshots.)
- Users could not connect to iSCSI targets via static IPv6 addresses after updating QTS to 220.127.116.118.
- Users could not stop a RAID scrubbing task in the "Background Tasks" on the Desktop.
- Desktop icon names would be truncated in certain languages.
- After users deleted files via FTP, QTS would not move the deleted files to the Recycle Bin.
- After enabling Folder Aggregation, users could not copy files from macOS to the portal folder. (Note: Folder Aggregation combines shared folders from different devices on the same network into a portal folder.)
However, the release notes show a number of known issues.
QNAP warns about vulnerability CVE-2022-0336 u. CVE-2021-44142
In a security advisory dated February 10, 2022, QNAP warns that several vulnerabilities have been reported in Samba that affect QNAP NAS. If exploited, these vulnerabilities allow attackers to access sensitive information, execute arbitrary commands, and impersonate existing services:
- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution
- CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services
QNAP is investigating the vulnerabilities and plans to release security updates and provide more information as soon as possible. In the meantime, the manufacturer recommends disabling SMBv1 in the security advisory. Details can be found in this security advisory dated February 10, 2022. .
QNAPs forced update after 3,600 DeadBolt ransomware infections (Jan. 2022)
QNAP: DeadBolt attacks via vulnerability patched in December 2021
Ransomware eCh0raix attacks QNAP devices (Dez. 2021)
QNAP firmware update version QTS 18.104.22.1681 build 20211221 and log4j vulnerability
QNAP has released NAS security updates and disabled an app
QNAP: Vulnerability in Media Streaming Add-on
Cookies helps to fund this blog: Cookie settings