Taiwanese company QNAP this week revealed that a selected number
of its network-attached storage (NAS) appliances are affected by a
recently-disclosed bug in the open-source OpenSSL cryptographic
library.
“An infinite loop vulnerability in OpenSSL has been reported to
affect certain QNAP NAS,” the company said[1]
in an advisory published on March 29, 2022. “If exploited, the
vulnerability allows attackers to conduct denial-of-service
attacks.”
Tracked as CVE-2022-0778[2]
(CVSS score: 7.5), the issue relates to a bug that arises when
parsing security certificates to trigger a denial-of-service
condition and remotely crash unpatched devices.
QNAP, which is currently investigating its line-up, said it
affects the following operating system versions –
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later, and
- QuTScloud c5.0.x
To date, there is no evidence that the vulnerability has been
exploited in the wild. Although Italy’s Computer Security Incident
Response Team (CSIRT) released an advisory[3]
to the contrary on March 16, the agency clarified to The Hacker
News that it has “updated the alert with an errata corrige.”
The advisory comes a week after QNAP released security updates
for QuTS hero (version h5.0.0.1949 build 20220215 and later) to
address the “Dirty Pipe[4]” local privilege
escalation flaw impacting its devices. Patches for QTS and
QuTScloud operating systems are expected to be released soon.
References
- ^
said
(www.qnap.com) - ^
CVE-2022-0778
(thehackernews.com) - ^
released
an advisory (www.csirt.gov.it) - ^
Dirty
Pipe (thehackernews.com)
Read more https://thehackernews.com/2022/03/qnap-warns-of-openssl-infinite-loop.html