What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Advertise with us
RAIDON

Qnap Security Advisory QSA-22-22 Fixing Multiple Vulnerabilities in Samba

In QTS 5.0.0.2131 build 20220815 and later, and QTS 4.5.4.2125 build 202208, and recommendation 10 and later

This is a Press Release edited by StorageNewsletter.com on August 18, 2022 at 2:01 pm

Qnap Systems, Inc. had published a security advisory concerning multiple vulnerabilities in Samba in use with QTS NAS OS.

Release date: August 16, 2022
Security ID: QSA-22-22
Severity: High
CVE identifier: CVE-2022-32742 | CVE-2022-2031 | CVE-2022-32744 | CVE-2022-32745 | CVE-2022-32746
Affected products: Certain Qnap NAS
Status: Fixing

Summary
Multiple vulnerabilities have been reported to affect Samba:

  • Medium, CVE-2022-32742: SMB1 Client with write access to a share can cause server memory contents to be written into a file or printer.
  • Medium, CVE-2022-2031: The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other’s tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services.
  • High, CVE-2022-32744: The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover.
  • Medium, CVE-2022-32745: Samba AD users can cause the server to access uninitialised data with an LDAP add or modify request, usually resulting in a segmentation fault.
  • Medium, CVE-2022-32746: The AD DC database audit logging module can be made to access LDAP message values that have been freed by a preceding database module, resulting in a use-after-free. This is only possible when modifying certain privileged attributes, such as userAccountControl.

Product status
The following Qnap OS versions have been affected:

  • QTS 5.0.1
  • QTS 5.0.0
  • QTS 4.5.x/4.4.x
  • QTS 4.3.x
  • QTS 4.2.x (CVE-2022-32742 only, will not fix)
  • QuTS hero h5.0.1
  • QuTS hero h5.0.0
  • QuTS hero h4.5.x
  • QuTScloud c5.0.1

The company have already fixed the vulnerabilities in following versions:

  • QTS 5.0.0.2131 build 20220815 and later
  • QTS 4.5.4.2125 build 20220810 and later

Recommendation
To secure Qnap NAS, the firm strongly recommend following actions:

  • Do not expose SMB service to the Internet.
  • Disable SMB 1.
  • Do not expose your NAS to the Internet.
  • If you enabled myQnapcloud, set up myQnapcloud on the NAS to enable secure remote access.
  • Update your OS to the latest version.

Disabling SMB 1

  1. Log on to QTS, QuTS hero or QuTScloud.
  2. Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
  3. Click Advanced Options.
  4. The Advanced Options window opens.
  5. Next to Lowest SMB version, select SMB 2 or higher.
  6. Click Apply.

Reducing Internet exposure

  1. Log in to your router.
  2. Disable the UPnP and DMZ functions.
  3. Disable all port forwarding rules.
  4. Use a VPN to reduce exposure of NAS services to the internet.
  5. For details, refer to this document.

Setting up myQnapcloud on NAS 

  • Log on to QTS, QuTS hero, or QuTScloud as an administrator. 
  • Open myQnapcloud.
  • Disable UPnP port forwarding.
    • Go to Auto Router Configuration.
    • Deselect Enable UPnP Port forwarding.
  • Enable DDNS.
    • Go to My DDNS.
    • Click the toggle button to enable My DDNS.
  • Do not publish your NAS services.
    • Go to Published Services.
    • Deselect all items under
    • Click
  • Configure myQnapcloud Link to enable secure remote access to your NAS via a SmartURL. 
    • Go to myQnapcloud Link.
    • Click Install to install myQnapcloud Link on NAS.
    • Click the toggle button to enable myQnapcloud Link.
  • Restrict which users who can remotely access your NAS via the SmartURL. 
    • Go to Access Control.
    • Next to Device access controls, select Privateor Customized.
    • Note: Selecting Private allows only the Qnap ID logged in to myQnapcloud to
      access the NAS via the SmartURL. Selecting Customized allows you to invite other Qnap ID accounts to access the device via the SmartURL.
    • If you selected Customized, click Add and specify a Qnap ID to invite the user. 

Obtain the SmartURL by going to Overview. 

For questions on using myQnapcloud

Updating QTS, QuTS hero or QuTScloud

  • Log on to QTS, QuTS hero or QuTScloud as administrator.
  • Go to Control Panel > System > Firmware Update.
  • Under Live Update, click Check for Update.
  • QTS, QuTS hero or QuTScloud downloads and installs the latest available update.

Tip: User can also download the update from the Qnap website. Go to Support > Download Center and then perform a manual update for his specific device.

Revision History: V1.0 (August 16, 2022) – Published

 

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E