Users of Synology and QNAP NAS devices are advised to be on the lookout for patches for several critical vulnerabilities affecting Netatalk, an open-source implemention of the Apple Filing Protocol (AFP) that allows Unix-like operating systems to serve file servers for Macs.
There is no indication that they are currently being exploited by attackers in the wild, but until patches are made available, users should implement mitigations delineated by the companies.
Vulnerabilities affecting some of the most widely used NAS devices are often exploited to covertly mine cryptocurrency or are compromised, their contents stolen or encrypted and held for ransom.
The vulnerabilities were reported and some of them exploited at the Pwn2Own 2021 hacking competition and got patched in Netatalk v3.1.1 in March, but the new version has yet to be propagated to some of the affected devices.
They vulnerabilities in question are:
- CVE-2022-0194, CVE-2022-23122, and CVE-2022-23125, which can be exploited to achieve unauthenticated remote code execution
- CVE-2022-23123 and CVE-2022-23124 – two sensitive information disclosure vulnerabilities
- CVE-2022-23121 and CVE-2021-31439, two vulnerabilities that may allow network-adjacent attackers to execute arbitrary code on affected installations
Western Digital reacted earlier by removing Netatalk from their firmware altogether. Users can continue to access local network shares and perform Time Machine backup via SMB.
TrueNAS has fixed the issues in TrueNAS Core 12.0-U8.1.
Synology are in the process of pushing out fixes there’s one for Synology DiskStation Manager v7.1
QNAP has fixed the vulnerabilities on QTS 220.127.116.112 build 20220419 and later and is working on other fixes.