Critical vulnerabilities open Synology, QNAP NAS devices to attack

Users of Synology and QNAP network-attached storage (NAS) devices are advised to be on the lookout for patches for several critical vulnerabilities affecting Netatalk, an open-source implemention of the Apple Filing Protocol (AFP) that allows Unix-like operating systems to serve file servers for Macs.

There is no indication that they are currently being exploited by attackers in the wild, but until patches are made available, users should implement mitigations delineated by the companies.

About the Netatalk vulnerabilities

Network-attached storage (NAS) devices are usually used by small-to-medium businesses and home users for storing and sharing files and backups. Also, they are often exposed to the public internet, making them also reachable to attackers.

Vulnerabilities affecting some of the most widely used NAS devices are often exploited to covertly mine cryptocurrency or are compromised, their contents stolen or encrypted and held for ransom.

The vulnerabilities that are currently the problem were reported and some of them exploited at the Pwn2Own 2021 hacking competition.

They have been patched in Netatalk v3.1.1 in March, but the new version has yet to be propagated to some of the affected devices.

They vulnerabilities in question are:

• CVE-2022-0194, CVE-2022-23122, and CVE-2022-23125, which can be exploited to achieve unauthenticated remote code execution
• CVE-2022-23123 and CVE-2022-23124 – two sensitive information disclosure vulnerabilities
• CVE-2022-23121 and CVE-2021-31439, two vulnerabilities that may allow network-adjacent attackers to execute arbitrary code on affected installations

Patches and mitigation advice

Western Digital reacted earlier this year, before the Netatalk update with fixes, by removing Netatalk from their firmware altogether. “Users can continue to access local network shares and perform Time Machine backup via SMB,” they said.

TrueNAS has fixed the issues in TrueNAS Core 12.0-U8.1, released earlier this month.

Synology says that they are in the process of pushing out fixes – there’s one for Synology DiskStation Manager v7.1 out already – and that users who want immediate assistence to mitigate the risk of exploitation should contact the company’s technical support service.

QNAP has fixed the vulnerabilities on QTS 4.5.4.2012 build 20220419 and later and is working on other fixes. In the meantime, they advise users to temporarily disable the AFP (which can be done through the devices’ control panel, under the Network & File Services tab) and to implement updates as soon as they are available.

Asustor is working on fixes.