Cyber Security

QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

Network-attached storage (NAS) appliance maker QNAP said it’s currently investigating two recently patched security flaws in OpenSSL to determine their potential impact, adding it will release security updates should its products turn out to be vulnerable.

Tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score: 4.4), the weaknesses concern a high-severity buffer overflow in SM2 decryption function and a buffer overrun issue when processing ASN.1 strings that could be abused by adversaries to run arbitrary code, cause a denial-of-service condition, or result in disclosure of private memory contents, such as private keys, or sensitive plaintext —

“A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash,” according to the advisory for CVE-2021-3711.

Stack Overflow Teams

OpenSSL, a widely used open-source cryptographic library that provides encrypted connections using Secure Sockets Layer (SSL) or Transport Layer Security (TLS), addressed the issues in versions OpenSSL 1.1.1l and 1.0.2za that were shipped on August 24.

In the meanwhile, NetApp on Tuesday confirmed that the flaws affect the following products, while it continues to assess the rest of its lineup —

  • Clustered Data ONTAP
  • Clustered Data ONTAP Antivirus Connector
  • E-Series SANtricity OS Controller Software 11.x
  • NetApp Manageability SDK
  • NetApp SANtricity SMI-S Provider
  • NetApp SolidFire & HCI Management Node
  • NetApp Storage Encryption

The development follows days after NAS maker Synology also disclosed that it’s opened an investigation into a number of models, comprising DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server, to check if they are affected by the same two flaws.

Prevent Ransomware Attacks

“Multiple vulnerabilities allow remote attackers to conduct denial-of-service attack[s] or possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server,” the Taiwanese company said in an advisory.

Other companies whose products rely on OpenSSL have also released security bulletins, including —

Products You May Like

Articles You May Like

Pixel 7, Pixel 7 Pro Launch Date Tipped, Said to Be Available for Pre-Order on Same Day
The confusing job market: Tech and finance brace for the worst, retail is mixed, travel can’t hire fast enough
Oppo Watch 3 Series to Launch on August 10, Alleged Live Images Surface
HBO Max, Discovery+ Will Merge Into a Single Streaming Platform starting 2023
Resolving Availability vs. Security, a Constant Conflict in IT

Leave a Reply

Your email address will not be published.