NAS maker QNAP is investigating and working on security updates to address RCE and DoS vulnerabilities patched by OpenSSL last week. The security flaws tracked as CVE-2021-3711 and CVE-2021-3712, impact QNAP NAS device running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync a backup and disaster recovery app.
The heap-based buffer overflow in the SM2 cryptographic algorithm behind CVE-2021-3711 would likely lead to crashes but can also be abused by attackers for arbitrary code execution. The CVE-2021-3712 vulnerability is caused by a read buffer overrun weakness while processing ASN.1 strings. Threat actors can exploit it to crash vulnerable apps or gain access to private memory contents such as private keys or similar sensitive info.
If successfully exploited, the vulnerabilities allow remote attackers to gain access to memory data without authorization, trigger denial-of-service (DoS) states, or run arbitrary code with the permissions of the user running the HBS 3 app.
While the OpenSSL development team published OpenSSL 1.1.1l to address the flaws, QNAP did not provide an estimated time of arrival for incoming security updates.
QNAP Says “thoroughly investigating the case” and “will release security updates and provide further information as soon as possible.”
Like QNAP, Synology also said multiple models in its NAS including Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server are affected by the same two security flaws.