QNAP is warning clients that a recently disclosed vulnerability affects most of its NAS devices, with no mitigation available while the vendor readies a patch.
Customers of Taiwan-based QNAP Systems are in a bit of limbo, waiting until the company releases a patch for an OpenSSL bug that the company has warned affects most of its network-attached storage (NAS) devices. The vulnerability can trigger an infinite loop that creates a denial-of-service (DoS) scenario.
Though the bug – tracked as CVE-2022-0778 and rated 7.5 (high severity) on the CVSS severity-rating scale – has been patched by OpenSSL, QNAP hasn’t gotten around to applying a fix yet for its NAS devices affected by the vulnerability. The company is telling customers that “there is no mitigation available” and they “must check back and install security updates as soon as they become available.”
“QNAP is thoroughly investigating the case,” the company said. “We will release security updates and provide further information as soon as possible.”
The vulnerability is in OpenSSL’s BN_mod_sqrt() function, which computes a modular square root. The bug can be triggered by crafting a certificate that has invalid explicit curve parameters, causing the function to loop forever, according to its listing in the NIST National Vulnerability Database. This creates DoS conditions on the device, according to OpenSSL. OpenSSL is a popular cryptography library primarily used by networking software that offers open-source application of the TLS protocol.
“Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack,” according to the listing. “The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters.”
Vulnerable scenarios on devices using OpenSSL include:
- TLS clients consuming server certificates,
- TLS servers consuming client certificates,
- Hosting providers taking certificates or private keys from customers,
- Certificate authorities parsing certification requests from subscribers, or
- Anything else that parses ASN.1 elliptic curve parameters.
QNAP devices affected by the bug are:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
Though QNAP said it’s not aware of any exploits for the bug, a security advisory issued by Italy’s national cybersecurity agency, CSIRT, suggests that it already is being exploited in the wild.
QNAP Under Fire
QNAP devices have indeed had their share of cybersecurity woes in the past several months, a number of which are ongoing.
As the company readies a fix for the OpenSSL flaw, it’s also working on another patch for the so-called Dirty Pipe Linux kernel flaw discovered earlier this month, which also currently has no mitigation on QNAP NAS devices. The flaw, a local privilege-escalation vulnerability, affects the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x.
Attackers also have been pummeling QNAP devices with both ransomware and brute-force attacks since the beginning of the year, the latter of which prompted the vendor to urge customers to get their internet-exposed NAS devices off the internet.
In late January, QNAP forced out an unexpected and not entirely welcome update to its customers’ NAS devices after warning them that the DeadBolt ransomware was mounting an offensive against them. And just last week, reports surfaced that DeadBolt was at it again in a new wave of attacks against QNAP.
The current OpenSSL scenario also is not the first time the vendor’s devices were rattled by a flaw in the cryptography library. Last August, two vulnerabilities tracked as CVE-2021-3711 and CVE-2021-3712 that respectively could cause remote-code execution (RCE) and DoS also prompted a security advisory and eventually emergency patches by QNAP.