Taiwanese organization QNAP this week revealed that a selected number of its network-hooked up storage (NAS) appliances are afflicted by a recently-disclosed bug in the open-source OpenSSL cryptographic library.
“An infinite loop vulnerability in OpenSSL has been claimed to influence certain QNAP NAS,” the company stated in an advisory published on March 29, 2022. “If exploited, the vulnerability permits attackers to conduct denial-of-support assaults.”
Tracked as CVE-2022-0778 (CVSS rating: 7.5), the issue relates to a bug that arises when parsing security certificates to cause a denial-of-service problem and remotely crash unpatched equipment.
QNAP, which is at present investigating its line-up, mentioned it impacts the following working system variations –
- QTS 5..x and later on
- QTS 4.5.4 and later on
- QTS 4.3.6 and afterwards
- QTS 4.3.4 and later
- QTS 4.3.3 and later on
- QTS 4.2.6 and later
- QuTS hero h5..x and afterwards
- QuTS hero h4.5.4 and later, and
- QuTScloud c5..x
To date, there is no evidence that the vulnerability has been exploited in the wild. Although Italy’s Computer system Security Incident Reaction Group (CSIRT) released an advisory to the opposite on March 16, the company clarified to The Hacker Information that it has “up-to-date the notify with an errata corrige.”
The advisory arrives a 7 days just after QNAP released security updates for QuTS hero (edition h5…1949 construct 20220215 and afterwards) to address the “Soiled Pipe” regional privilege escalation flaw impacting its equipment. Patches for QTS and QuTScloud operating systems are expected to be produced before long.
Identified this post intriguing? Stick to THN on Facebook, Twitter and LinkedIn to browse far more unique content we post.
Some parts of this article are sourced from:
thehackernews.com