[German]Short note to readers who have NAS drives from QNAP in use. There are serious vulnerabilities in the QTS 5.0.0 software in older versions, which were fixed on June 8, 2022 with an update of the firmware to QTS 184.108.40.2065 build 20220531. The installation of this update is strongly recommended. Older QTS versions (4.x etc.) should have been fixed long ago.
German blog reader Singlethread pointed out this firmware update for QTS 5.x and the closed vulnerabilities in a comment in the discussion area (thanks for that).
If anyone is using QNAP NAS devices. There are again important updates in the version QTS 220.127.116.115 build 20220531, which was released on June 08, 2022.
QNAP has disclosed more details about the closed vulnerabilities in several Security Advisories. I could not find anything about this in QNAP's overview page of published Security Advisories – the last updates are from May 2022. The background is that these are old known vulnerabilities from March and April 2022, but they have only now been closed in QTS 5.0.0.
QSA-22-06: Vulnerability CVE-2022-0778
Vulnerability CVE-2022-0778 (Infinite Loop Vulnerability in OpenSSL) has been known since March 29, 2022 and has actually been fixed for a long time. However, according to QSA-22-06, QNAP did not release the corresponding QTS 5.0.0 version to close the vulnerability until June 10, 2022.
QSA-22-22: Several vulnerabilities
Security Advisory QSA-22-12 dated April 25, 2022 describes several vulnerabilities (CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, CVE-2022-0194) in Apache HTTP Server. With the firmware update released on June 10, 2022, these vulnerabilities were also closed in QTS 5.0.0.
QSA-22-11: Several vulnerabilities
Security Advisory QSA-22-11
dated April 20, 2022 describes several vulnerabilities (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721, CVE-2022-23943) in Apache HTTP Server. With the firmware update released on June 10, 2022, these vulnerabilities were also closed in QTS 5.0.0.
Cookies helps to fund this blog: Cookie settings