No updates for QNAP and Synology
As of this writing, both QNAP and Synology continue to work on launching as soon as possible. updates for users with NAS vulnerable to these security flaws. However, it has not yet been corrected and therefore the teams are still in danger.
In the case of QNAP, there are two security flaws logged as CVE-2021-3711 and CVE-2021-3712. These vulnerabilities affect NAS devices running QTS, QuTS hero, QuTScloud, and HBS 3 Hybrid Backup Sync.
The first vulnerability is based on the buffer overflow in the SM2 algorithm. This can cause crashes or remote code execution. In the case of the second failure, it is due to read buffer overflow during ASN.1 string processing. They can also use it to block applications or access private memory.
It must be taken into account that these are OpenSSL that affect QNAP devices. Since OpenSSL they have already corrected the problem when launching OpenSSL 1.1.1l a few days ago. However, QNAP continues to work on being able to release patches for its users as soon as possible.
Remote access and denial of service
In the case of Synology, which has multiple devices affected as they are DSM 7.0, DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server and VPN Server, it has not published updates to correct the problem at the moment. They ensure that they are working and that those patches are in progress so that, in the shortest possible time, users can apply them.
Synology devices have been affected by the two vulnerabilities that also put QNAP NAS at risk and that, for now, do not have the necessary patches to correct them and work without any security risk.
An attacker could perform attacks from denial of service remotely and get to execute arbitrary code Using a vulnerable version of Synology DiskStation Manager, Synology Router Manager, VPN Plus Server, or VPN Server.
Therefore, in both cases we are still waiting for security updates that can correct the problem. Both QPAN and Synology are working on being able to offer their customers these patches that correct the vulnerabilities as soon as possible. You can see some tips to protect a NAS.
From RedesZone we always recommend applying all the updates and patches security available. It is the best measure to ensure that any device connected to the network is protected and does not have any flaw that could allow an attacker to infect with malware, enter the computer or perform any action remotely. But of course, sometimes we can have problems for these updates if we use obsolete devices or, as in the case that we have seen in this article, that they take time to arrive.