Taiwanese corporation QNAP has asked customers this week to disable the AFP file service protocol on their network-attached storage (NAS) appliances until it fixes multiple critical Netatalk vulnerabilities.
Netatalk is an open-source implementation of AFP (short for Apple Filing Protocol) that enables *NIX/*BSD systems to act as an AppleShare file server (AFP) for macOS clients.
On QNAP NAS devices, AFP allows macOS systems to access data on the NAS. According to QNAP, it’s still used because it “supports many unique macOS attributes that are not supported by other protocols.”
NCC Group’s EDG team members exploited one of these security flaws, tracked as CVE-2022-23121 and rated with a 9.8/10 severity score, to achieve remote code execution without authentication during the Pwn2Own 2021 hacking competition on a Western Digital PR4100 NAS running My Cloud OS firmware.
Three of the other bugs QNAP warned its customers about also received 9.8/10 severity ratings (i.e., CVE-2022-23125, CVE-2022-23122, CVE-2022-0194), all of them also allowing unauthenticated attackers to execute arbitrary code remotely without requiring authentication on unpatched devices.
On March 22, the Netatalk development team released version 3.1.13 to fix these security bugs, three months after the flaws were reported following the Pwn2Own contest.
QNAP says the Netatalk vulnerabilities (fixed in QTS 18.104.22.1682 build 20220419 and later) impact the following operating system versions:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
QNAP: Disable AFP until firmware gets patched
“QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible,” the NAS maker said.
“To mitigate these vulnerabilities, disable AFP. We recommend users to check back and install security updates as soon as they become available.”
To disable AFP on your QTS or QuTS hero NAS device, you will have to go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking and select Disable AFP (Apple Filing Protocol).
QNAP is also working on addressing a Linux vulnerability dubbed ‘Dirty Pipe’ actively exploited in attacks that allows gaining root privileges and a high severity OpenSSL bug that can lead to denial of service (DoS) states and remote crashes.
While the Dirty Pipe flaw remains to be fixed for NAS devices running QuTScloud c5.0.x, QNAP has only released QTS security updates for the OpenSSL DoS flaw it warned customers about one month ago.
One week ago, customers were also told to mitigate a pair of critical Apache HTTP Server bugs added to the queue of vulnerabilities that need to be addressed for devices running QTS, QuTS hero, and QuTScloud.