Qnap Security Advisory: Bulletin ID: QSA-21-39 and QSA-21-40

Qnap Systems, Inc. has published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

Out-of-Bounds vulnerabilities in OpenSSL
Release date: August 30, 2021
Security ID: QSA-21-39
Severity: High
CVE identifier: CVE-2021-3711 | CVE-2021-3712
Affected products: Qnap NAS running HBS 3

Summary
Two out-of-bounds vulnerabilities in OpenSSL have been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync). If exploited, the vulnerabilities allow remote attackers to execute arbitrary code with the permissions of the user running the application.

The company is thoroughly investigating the case. The firm will release security updates and provide further information ASAP.

Learn more

Out-of-Bounds read vulnerability in OpenSSL
Release date: August 30, 2021
Security ID: QSA-21-40
Severity: Medium
CVE identifier: CVE-2021-3712
Affected products: Qnap NAS running QTS, QuTS hero, and QuTScloud

Summary
An out-of-bounds read vulnerability in OpenSSL has been reported to affect the company’s NAS running QTS, QuTS hero, and QuTScloud. If exploited, the vulnerability allows remote attackers to disclose memory data or execute a denial-of-service (DoS) attack.

The firm is thoroughly investigating the case. The company will release security updates and provide further information ASAP.

Learn more

Any questions regarding this issue: Contact support ticket