Synology and QNAP are repairing OPENSSL remote code execution vulnerability
OPENSSL has several high-risk security vulnerabilities recently. Attackers use the vulnerabilities to access private content such as private keys and sensitive information. The OPENSSL development team has announced on the official website, the vulnerability numbers involved are CVE-2021-3711 and CVE-2021-3712. As a countermeasure, the development team has launched OPENSSL 1.0.2za and 1.1.1 versions for repair, and other software that uses this software needs to be upgraded in time. It is worth noting that these vulnerabilities also affect NAS, namely, attached network storage manufacturers Synology and QNAP, and Synology DSM and QTS systems of QNAP are also affected.
The security bulletin issued by QNAP shows that related vulnerabilities affect QNAP’s additional network storage devices, including the QTS operating system and multiple packages that need to be upgraded and repaired. For example, attackers can use CVE-2021-3711 to cause QNAP devices to crash, or they can use vulnerabilities to remotely execute arbitrary code and cause serious harm. CVE-2021-3712 can be used to crash vulnerable applications or access private content, including private information stored in memory. QNAP explained that the attacker successfully exploited the vulnerability to access memory data or run arbitrary code without authorization, thus affecting the security of the device. However, QNAP has not yet completed the repair. QNAP stated that the company is thoroughly investigating this issue and will release security updates and provide more information as soon as possible.
The announcement issued by Synology shows that multiple models in the company’s NAS product line are affected by the vulnerability. Attackers can also use the vulnerability to execute arbitrary code remotely, for example, DSM7.0, DSM6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Server, VPN Plus Server, etc. Although Synology has not released a more detailed description of the above vulnerabilities, as long as it is a remote execution of arbitrary code, it can already cause very serious security problems. Synology is currently investigating and evaluating related vulnerabilities but has not yet released a security update. Its security team said that it is temporarily unable to disclose more details.
The good news is that at present, no attackers have been found to use these vulnerabilities to launch attacks, so users only need to wait patiently for subsequent security updates. We recommend users of Synology and QNAP enable automatic updates so that the device can be upgraded for the first time after the above-mentioned manufacturers release security updates.