“QNAP, the makers of Networked Attached Storage (NAS) devices that are especially popular with home and small business users, has issued a warning about not-yet-patched bugs in the company’s products.
– https://www.qnap.com/en/security-advisory/qsa-22-11
Home and small office NAS devices, which typically range in size from that of a small dictionary to that of a large encyclopedia, provide you with the ready-to-go convenience of cloud storage, but in the custodial comfort of your own network.
Loosely speaking, a NAS device is like an old-school file server that connects directly to your LAN, so it’s accessible and usable even if your internet connection is slow or broken.”
The bugs and their workarounds are:
CVE-2022-22721. A web client sending in a supersized HTTP request could cause a buffer overflow, thus provoking a server crash or even leading to an exploitable code execution hole. Check that the HTTP Server configuration setting LimitXMLRequestBody is set to 1MByte (the default) or below.
CVE-2022-23943. If you have turned on the Apache HTTP Server mod_sed extension, which allows you to set up incoming and outgoing content filtering rules, you may be vulnerable to memory mismangement bugs if extrasupersized HTTP requests (bigger than 2Gbyte!) are received. We’re not sure why you would need to turn mod_sed on, but QNAP seems to think there may be customers who are using this feature. Check that mod_sed is not enabled. (The name mod_sed is shorthand for stream editing module, meaning that it can apply text editing rules to requests as they arrive, or to replies just before they’re sent out.)
QNAP says it intends to patch its devices, promising that it “will release security updates as soon as possible”, although we don’t want to guess how soon that will be, given that Apache itself made the patches publicly available just over five weeks ago.
You can keep your eye out for QNAP updates via the company’s decently laid-out Security Advisories page.
While you’re about it, remember that it’s very unlikely that you want a NAS of your own to be accessible from the internet side of your router, because that would leave it directly exposed to automated scanning, discovery and probing by cybercriminals.
Therefore we recommend the following precautions, too:
Don’t open your network servers up to the internet unless you really mean to. QNAP has advice on how to prevent your NAS device from receiving connections from the public internet by mistake, thus preventing your device from being accessed or even discovered in the first place. Perform a similar check for all the devices on your network, just in case you have other private devices that can inadvertently be “tickled” from the internet.
Don’t use Universal Plug-and-Play (UPnP). UPnP sounds very useful, because it’s designed to allow routers to reconfigure themselves automatically to make setting up new devices easier. But it comes with enormous risks, namely that your router might inadvertently make some new devices visible through the router, thus opening them up unexpectedly to untrusted users on the internet. Explicitly disable UPnP on every device that supports it, including on your router itself. If you have a router with UPnP that won’t let you turn it off, get a new router.
To read the complete article see: