Security Advisory for Samba vulnerabilities

Summary

Two recently discovered Samba vulnerabilities have been reported to affect all platforms using Samba 4.0.0 and later versions. If exploited, attackers can launch denial-of-service (DoS) attacks (CVE-2018-1050) or allow authenticated users to  change the passwords of administrators and other users (CVE-2018-1057).

CVE-2018-1050 does not currently affect any QNAP products, but we have decided to create a fix for it in case future issues arise from it. On the other hand, CVE-2018-1057 affects NAS devices running QTS versions 4.3.3 and 4.3.4.

Both vulnerabilities do not affect NAS devices running QTS versions 4.2.6 and earlier.

We have already fixed these issues in the following QTS versions.

• QTS 4.3.3: build 20180402 and later
• QTS 4.3.4: build 20180413 and later

Recommendation

To fix these vulnerabilities, you must update QTS to the following versions.

• QTS 4.3.3: build 20180402 or later
• QTS 4.3.4: build 20180413 or later

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download and then perform a manual update.