Users of Synology and QNAP NAS equipment are being warned about major Netatalk vulnerabilities in their operating systems. Both firms are developing patches to address the issues.
According to Synology's website, there are various vulnerabilities in Netatalk that allow hackers to remotely "obtain sensitive information and perhaps execute arbitrary code." As a result, the vulnerabilities exist in various versions of Synology's DiskStation Manager operating system, VS Firmware 2.3, and Synology Router Manager 1.2.
Synology
Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM).
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 7.1 | Critical | Upgrade to 7.1-42661-1 or above. |
| DSM 7.0 | Critical | Ongoing |
| DSM 6.2 | Critical | Ongoing |
| VS Firmware 2.3 | Critical | Ongoing |
| SRM 1.2 | Critical | Ongoing |
QNAP
Upon the latest release of Netatalk 3.1.13, the Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software: CVE-2021-31439, CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, and CVE-2022-0194.
These vulnerabilities currently affect the following QNAP operating system versions:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
We have already fixed the vulnerabilities in the following versions of QTS:
- QTS 4.5.4.2012 build 20220419 and later
QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible.
