Resolved Qnap Security Advisory | Bulletin ID: QSA-22-03

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use following information and solutions to correct the security issues and vulnerabilities.

Multiple vulnerabilities in Samba
Release date: February 10, 2022
Security ID: QSA-22-03
Severity: Critical
CVE identifier: CVE-2021-44141 | CVE-2021-44142 | CVE-2022-0336
Affected products: Qnap NAS
Status: Resolved

Summary
Multiple vulnerabilities in Samba have been reported to affect Qnap NAS. If exploited, these vulnerabilities allow attackers to access sensitive information, run arbitrary commands, and impersonate existing services:

• CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share

• CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution

• CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services

The company have already fixed vulnerabilities in following version of QTS NAS OS:

• QTS 5.0.0.1932 build 20220129 and later

• QTS 4.5.4.1931 build 20220128 and later

• QTS 4.3.6.1965 build 20220302 and later

• QTS 4.3.4.1976 build 20220303 and later

• QTS 4.3.3.1945 build 20220303 and later

• QuTS hero h5.0.0.1949 build 20220215 and later

• QuTS hero h4.5.4.1951 build 20220218 and later

• QuTScloud c5.0.1.1949 and later

QTS 4.2.6 is not affected.

Recommendation
To secure  NAS Qnap recommend following actions:

• Disable SMB 1.

• Update your operating system to the latest version.

Before a security update is available for your operating system version, we recommend the following action:

• Deny guest access to all shared folders.

Disabling SMB 1

1. Log on to QTS, QuTS hero or QuTScloud.

2. Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.

3. Click Advanced Options.
   The Advanced Options window opens.

4. Next to Lowest SMB version, select SMB 2 or higher.

5. Click Apply.

Updating QTS, QuTS hero or QuTScloud

1. Log on to QTS, QuTS hero or QuTScloud as administrator.

2. Go to Control Panel>System>Firmware Update.

3. Under Live Update, click Check for Update.
   QTS, QuTS hero or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the Qnap website. Go to Support>Download Center and then perform a manual update for your specific device.

Denying guest access to shared folders

1. Log on to QTS, QuTS hero or QuTScloud.

2. Go to Control Panel > Privilege > Shared Folders > Shared Folder.

3. Identify a shared folder.

4. Under Action, click the Edit Shared Folder Permission icon.
   The Edit Shared Folder Permission window opens.

5. Next to Guest Access Right, select Deny access.

6. Click Apply.

7. Repeat steps 3-6 for each shared folder.

Revision history:
V1.0 (February 10, 2022) – Published
V1.1 (February 15, 2022) – QTS 5.0.0 security update released
V1.2 (February 18, 2022) – QTS 4.5.4 and QuTS h5.0.0 security update released
V1.3 (March 19, 2022) – All the other platforms released

Questions regarding this issue