Qnap Recommends Disabling AFP Due to Critical Vulnerability

Critical Qnap Vulnerability
Written by Emma Davis

Qnap developers report they are working on updating of their QTS and QuTS operating systems, as Netatalk released patches last month that address seven vulnerabilities in their software at once, of which one vulnerability is critical.

Qnap asks users to temporarily disable the AFP protocol on their NAS until critical bugs are fixed.

By the way, we wrote that Qnap warns that Dirty Pipe vulnerability affects most of the company’s NAS, and that Attackers use a three-year-old RCE bug to install backdoors in Qnap NAS.

Netatalk is an open source implementation of AFP (Apple Filing Protocol) that allows *NIX/*BSD systems to act as an AppleShare File Server (AFP) for macOS clients. On Qnap devices, AFP allows macOS systems to access NAS data. The developers write that the protocol is still in use because it “supports many unique macOS attributes that are not supported by other solutions.”

On March 22, 2022, Netatalk developers released version 3.1.13, where they fixed the following issues: CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194 which can be used to execute arbitrary code.

Critical Qnap Vulnerability

The fears of Qnap developers are linked to the fact that back in 2021, during the Pwn2Own hacker competition, members of the EDG team from the NCC Group took advantage of the CVE-2022-23121 vulnerability, which received 9.8 points out of 10 possible on the CVSS rating scale, to remotely execute code (without authentication) on a Western Digital PR4100 NAS running My Cloud OS.

In addition, three other vulnerabilities listed above (CVE-2022-23125, CVE-2022-23122, CVE-2022-0194) also scored 9.8 on the CVSS scale, and all of them allow unauthenticated attackers to execute arbitrary code remotely.

Now, after the release of the patches, Qnap reported that the vulnerabilities in Netatalk have already been fixed in QTS build 20220419 and later, but affect the following products:

  1. QTS 5.0.x and above;
  2. QTS 4.5.4 and above;
  3. QTS 4.3.6 and above;
  4. QTS 4.3.4 and above;
  5. QTS 4.3.3 and above;
  6. QTS 4.2.6 and above;
  7. QuTS hero h5.0.x and above;
  8. QuTS hero h4.5.4 and above;
  9. QuTScloud c5.0.x.

Until patches for all products become available, the manufacturer strongly recommends that NAS owners temporarily disable AFP on their devices.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply