Search

安全ID : QSA-22-03

Multiple Vulnerabilities in Samba

  • 发布日期 : February 10, 2022

  • 通用漏洞披露 : CVE-2021-44141 | CVE-2021-44142 | CVE-2022-0336

  • 受影响产品: QNAP NAS

严重程度

严重

状态

已解决

Summary

Multiple vulnerabilities in Samba have been reported to affect QNAP NAS. If exploited, these vulnerabilities allow attackers to access sensitive information, run arbitrary commands, and impersonate existing services:

  • CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share
  • CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution
  • CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services

We have already fixed the vulnerabilities in the following version of QTS:

  • QTS 5.0.0.1932 build 20220129 and later
  • QTS 4.5.4.2012 build 20220419 and later
  • QTS 4.3.6.1965 build 20220302 and later
  • QTS 4.3.4.1976 build 20220303 and later
  • QTS 4.3.3.1945 build 20220303 and later
  • QuTS hero h5.0.0.1949 build 20220215 and later
  • QuTS hero h4.5.4.1951 build 20220218 and later
  • QuTScloud c5.0.1.1949 and later

QTS 4.2.6 is not affected.

Recommendation

To secure your QNAP NAS we recommend the following actions:

  • Disable SMB 1.
  • Update your operating system to the latest version.

Before a security update is available for your operating system version, we recommend the following action:

  • Deny guest access to all shared folders.

Disabling SMB 1

  1. Log on to QTS, QuTS hero or QuTScloud.
  2. Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
  3. Click Advanced Options.
    The Advanced Options window opens.
  4. Next to Lowest SMB version, select SMB 2 or higher.
  5. Click Apply.

Updating QTS, QuTS hero or QuTScloud

  1. Log on to QTS, QuTS hero or QuTScloud as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS, QuTS hero or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Denying Guest Access to Shared Folders

  1. Log on to QTS, QuTS hero or QuTScloud.
  2. Go to Control Panel > Privilege > Shared Folders > Shared Folder.
  3. Identify a shared folder.
  4. Under Action, click the Edit Shared Folder Permission icon.
    The Edit Shared Folder Permission window opens.
  5. Next to Guest Access Right, select Deny access.
  6. Click Apply.
  7. Repeat steps 3-6 for each shared folder.

修订历史:
V1.0 (February 10, 2022) - Published
V1.1 (February 15, 2022) - QTS 5.0.0 security update released
V1.2 (February 18, 2022) - QTS 4.5.4 and QuTS h5.0.0 security update released
V1.3 (March 19, 2022) - All the other platforms released

选择规格

      显示更多 隐藏更多
      open menu
      back to top