Release date: February 10, 2022
...
...
Summary
Multiple vulnerabilities in Samba have been reported to affect QNAP NAS. If exploited, these vulnerabilities allow attackers to access sensitive information, run arbitrary commands, and impersonate existing services:
- CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share
- CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution
- CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services
QNAP is thoroughly investigating the vulnerabilities. We will release security updates and provide further information as soon as possible.
Recommendation
Before security updates are available, to secure your QNAP NAS we recommend the following actions:
- Disable SMB 1.
- Deny guest access to all shared folders
Disabling SMB 1
- Log on to QTS or QuTS hero.
- Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
- Click Advanced Options.
The Advanced Options window opens.
- Next to Lowest SMB version, select SMB 2 or higher
- Click Apply.
... ... ...