QNAP Confirms New Critical Flaws Affecting Some Network-Attached Storage Devices
Last week, QNAP published a security advisory to warn customers about new critical flaws in an open-source fileserver technology integrated into its network-attached storage (NAS) devices. The company has advised customers to look out for updates to address the vulnerabilities affecting some of its products.
QNAP explained in its advisory that these flaws exist in Netatalk. It is a free open source version of Apple Filing Protocol (AFP) used to share files between clients and servers. Specifically, AFP enables macOS clients to access data stored on NAS devices. The company says that this outdated file access protocol is still being used because it supports various macOS attributes not found in other protocols.
It is important to note that Netatalk released an update (v3.1.13) to patch all the security issues in March. QNAP confirmed that it has already addressed the Netatalk flaws in QTS 188.8.131.522 build 20220419 and later. However, these vulnerabilities still impact several older versions of its QTS operating system. The list includes:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
QNAP advises users to temporarily disable AFP
The company is currently investigating the security vulnerabilities, and it’s planning to release updates for all impacted QNAP OS versions soon. “QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible.” QNAP explained.
In the meantime, QNAP is urging customers to disable AFP on QTS or QuTS hero NAS devices to mitigate the Netatalk vulnerabilities in their organization. To do so, head to the Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking. Finally, disable the “AFP (Apple Filing Protocol)” option.
More in Security
Microsoft Defender for Identity Can Now Detect Insecure Domain Configurations
Jun 27, 2022 | Rabia Noureen
CISA Warns Unpatched VMware Servers Remain Vulnerable to Log4Shell
Jun 24, 2022 | Rabia Noureen
QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
Jun 23, 2022 | Rabia Noureen
Microsoft Unveils New Edge Secured-Core IoT Devices to Block Firmware Attacks
Jun 22, 2022 | Rabia Noureen
QNAP Warns NAS Users About New DeadBolt Ransomware Campaign
Jun 20, 2022 | Rabia Noureen
Microsoft Defender for Individuals is Now Available on Desktop and Mobile
Jun 16, 2022 | Rabia Noureen
Most popular on petri