Security Advisory for Samba AD DC

Summary

A reported Samba 4.0 AD DC vulnerability may affect QNAP NAS devices running QTS 4.3.3 and earlier versions. The Samba issue, CVE-2018-16860, prevented the S4U2Self handler in the embedded Heimdal KDC from confirming if the checksum was keyed. If exploited, this vulnerability could allow attackers to perform man-in-the-middle attacks.

We have already fixed this issue in the following QTS versions:

• QTS 4.4.1: build 20190626 and later
• QTS 4.4.0: build 20190627 and later
• QTS 4.3.6: build 20190704 and later
• QTS 4.3.4: build 20190701 and later
• QTS 4.3.3: build 20190629 and later

Recommendation

To fix these vulnerabilities, we recommend updating QTS to the latest version.

Installing the QTS Update

1. Log on to QTS as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.