Network-attached storage (NAS) specialist Synology has warned its customers that some of its products are vulnerable to a number of critical vulnerabilities.
“Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM),” said the firm in an advisory.
The issues were discovered in Netatalk, an open source implementation of the Apple Filing Protocol, transforming Unix-like operating systems into file servers.
No patch yet
The Netatalk team fixed the issues roughly a month ago, with version 3.1.1., BleepingComputer reported. However, Synology says that releases for some of its affected endpoints are yet to roll out.
In total, four flaws seem to be plaguing Synology’s NAS appliances, all of which received a severity score of 9.8/10.
Synology didn’t provide any deadlines by which it expects the patches to be issued, but BleepingComputer says that the company usually delivers on such things within three months of the vulnerability being disclosed.
Furthermore, NAS appliances running DiskStation Manager (DSM) 7.1.or later have already been patched, it was said.
Less than a week ago, QNAP, another NAS vendor, discovered vulnerabilities in its products.
Discovered in Apache HTTP Server 2.4.52 and earlier, the bugs could be used to perform low complexity attacks that don’t require victim interaction.
QNAP warned NAS owners to apply known mitigations, advising them to keep the default value “1M” for LimitXMLRequestBody, and disable mod_sed, as these two things effectively plug the holes.
QNAP also said the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
“CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,” the company said at the time.