Buffalo Security Advisory: Vulnerabilities Related to AFP in TeraStation and LinkStation NAS
For older products that do not have firmware updates available, company urges all TeraStation and LinkStation users to disable AFP on devices by following appropriate procedures available.
This is a Press Release edited by StorageNewsletter.com on September 8, 2022 at 2:01 pmBuffalo Americas Inc. issued a product security notice regarding multiple vulnerabilities related to AFP in TeraStation and LinkStation NAS products.
AFP is a proprietary network protocol for file services. Security vulnerabilities may allow threat actors to execute unauthorized code or improperly obtain data on affected storage products.
The company would like to remind our customers to update the firmware for certain affected products in order to patch the vulnerabilities.
For older products that do not have firmware updates available,the company urges all TeraStation and LinkStation users to disable AFP on their devices by following the appropriate procedures available on the Security Notices page.
AFP vulnerabilities advisory summary
We have confirmed multiple vulnerabilities related to AFP in our TeraStation and LinkStation NAS products. Data stored in affected products may be improperly obtained or arbitrary code from threat actors may be executed.
We are currently investigating our products, and will release information on the target products and countermeasures as appropriate. The vulnerabilities and affected products that have been identified so far are as follows:
|
Vulnerability ID |
Vulnerability overview |
|---|---|
|
CVE-2021-31439 |
A heap-based buffer overflow vulnerability |
|
CVE-2022-23121 |
An improper handling vulnerability present under exceptional conditions |
|
CVE-2022-0194 |
A stack-based buffer overflow vulnerability |
|
CVE-2022-23122 |
A stack-based buffer overflow vulnerability |
|
CVE-2022-23125 |
A stack-based buffer overflow vulnerability |
|
CVE-2022-23123 |
An out-of-bounds read vulnerability |
|
CVE-2022-23124 |
An out-of-bounds read vulnerability |
Affected products
|
Product series |
Corrective action(s) |
|---|---|
|
TS6000 |
Update firmware to version 5.62 or later. |
|
TS5010/3010/3020 |
Update firmware to version 5.34 or later. |
|
TS1000 |
Please follow corrective action below. |
|
TS3000 |
Please follow corrective action below. |
|
TS5000 |
Please follow corrective action below. |
|
TS5200DS |
Please follow corrective action below. |
|
TS-2RZ |
Please follow corrective action below. |
|
LS200 |
Please follow corrective action below. |
|
LS400 |
Please follow corrective action below. |
|
LS500 |
Please follow corrective action below. |
|
TS-X |
Please follow corrective action below. |
|
TS-V |
Please follow corrective action below. |
Corrective actions
For products for which patch firmware has not yet been released, please refer to the appropriate procedures below to manually disable the AFP function. When new firmware is released for the affected products, we will update this page accordingly.
Corrective Procedures
Select the product series you are using to follow its corrective procedure.
|
TS-2RZ, TS5000/3000/1000 Series |
△ |
Disable AFP
(1) From Settings, click [File Sharing].
(2) Click the switch icon next to [AFP] to turn it off .
|
LS200/400 Series |
△ |
Disable AFP
(1) From Settings, click [File Sharing].
(2) Click the switch icon next to [AFP] to turn it off.
|
LS500 Series |
△ |
Disable AFP
(1) From Settings, click [Preferences].
(2) Click [AFP].
(3) Uncheck [Enable AFP], and then click [Apply].
|
TS-X/V Series |
△ |
Disable AFP
(1) From Settings, navigate to [Network] – [Network] – [Network Service] – [AFP].
(2) Click [Do not use], and then click [Save].
Page revision history
|
Date |
Description |
|
8/31/22 |
Initial public release |
Subscribe to our free daily newsletter
