Apple’s AFP Vulnerabilities Affect Synology and QNAP NAS

Critical vulnerabilities of Netatalk

A number of critical vulnerabilities have been discovered in Netatalk that could allow a remote attacker to obtain sensitive information from a NAS server and execute arbitrary code. This means that a potential attacker will be able to access the NAS server and all files, as well as be able to execute any command with administrator permissions, so it is a serious security flaw that must be resolved as soon as possible.

The Netatalk development team has already fixed these security flaws in its latest version 3.1.13, and this version was released on March 22nd, so it is now necessary for manufacturers like QNAP and Synology to release updates for their operating system, since this software is built into the operating system Yours by default, it is not an additional app that we can install through the App Store.

If you do not have the AFP protocol for your NAS activated, you are not at risk, because the software with the vulnerability was not found. If using AFP because you have macOS, the most important recommendation is the following: disable this feature until the patch is available.

Synology NAS affected

All Synology NAS servers except those with the new DSM version 7.1-42661-1 or higher are at risk. Any operating system based on DSM 7.0 or DSM 6.2 has a weak Netatalk version, and there is no firmware update for this operating system from the manufacturer yet. It also affects not only Synology NAS, but also its routers that use SRM version 1.2, as we have this AFP protocol built into them.

See also  So you can easily activate WhatsApp spy mode

Affected operating systems:

  • DSM 7.0
  • DSM 6.2
  • Firmware VS 2.3
  • SRM 1.2.0 Update

Manufacturer Synology has not indicated when we will get new versions of the operating system with the “good” version, but has promised that it will be within the usual 90 days after the software fixes the vulnerability, so it may take several weeks for the manufacturer to release the corresponding updates.

QNAP NAS affected

The manufacturer QNAP has released a new version of the QTS operating system, specifically QTS version 20220419 and subsequent fixes for these security flaws in Netatalk. However, branch operating systems QTS 5.X and QuTS hero 5.X have not yet received the corresponding update, so if you have a QNAP NAS, you should be very careful about this, and update the operating system as soon as possible. Any QNAP NAS with the following operating systems will be affected:

  • QTS 5.0.x and higher
  • QTS 4.5.4 (Only with the new version 2012 the bug was fixed)
  • QTS 4.3.6 and later versions
  • QTS 4.3.4 and later versions
  • QTS 4.3.3 and later versions
  • QTS 4.2.6 and later versions
  • QuTS Champion h5.0.x and above
  • QuTS hero h4.5.4 and later
  • QuTScloud c5.0.x

QNAP is currently investigating this issue and will release a QTS branch 5.X update to all users in the next few days, meanwhile, they are recommending to disable AFP while receiving updates. To disable it, we simply have to go to “Control Panel > Network and File Services > Win / Mac / NFS / WebDAV > Apple Networks” and select “Disable AFP”. The manufacturer also stated that it is working to address a Linux Dirty Pipe vulnerability that surfaced a few weeks ago, which could cause remote service to stop working and crash. Additionally, they also have to release an update to mitigate some critical Apache server bugs. Therefore, the upcoming QNAP update is very important.

See also  Dragon meteor showers peak tonight as stars fill the sky

Leave a Reply

Your email address will not be published.