New vulnerabilities have been discovered in QNAP network-attached storage (NAS) devices, the company confirmed.
As reported by BeepComputer, the vulnerabilities – tracked as CVE-2022-22721 and CVE-2022-23943 – were both given a severity score of 9.8/10. Discovered in Apache HTTP Server 2.4.52 and earlier, bugs can be used to perform low complexity attacks that do not require interaction with the victim.
QNAP has warned NAS owners to apply known mitigations as a full fix is not yet available.
Mitigation available, fix pending
“We are thoroughly investigating the two vulnerabilities affecting QNAP products and will release security updates as soon as possible,” the company said.
“CVE-2022-22721 affects 32-bit QNAP NAS models and CVE-2022-23943 affects users who have mod_sed enabled in Apache HTTP Server on their QNAP device.”
Pending a full fix, QNAP advised customers to keep the default “1M” for LimitXMLRequestBody and disable mod_sed, as both of these things effectively plug holes.
QNAP also stated that the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
In the same announcement, QNAP revealed that it is working hard to fix “Dirty Pipe”, a recently discovered high-severity Linux vulnerability.
Dirty Pipe affects NAS devices running multiple versions of QTS, QuTS hero, and QuTScloud, and allows threat actors to trigger denial of service (DoS) attacks or crash terminals remotely.
The Linux kernel team fixed Dirty Pipe as soon as its existence was confirmed. A security update has been rolled out to all affected Linux versions, while Google has also updated the Android operating system.
If left unpatched on vulnerable systems, Dirty Pipe can be exploited by an attacker to gain full control over affected computers and smartphones. With this access, they could read users’ private messages, compromise banking apps and more.