===================================================================== CERT-Renater Note d'Information No. 2022/VULN312 _____________________________________________________________________ DATE : 01/09/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running QTS, QuTS hero, QuTScloud versions prior to QTS 5.0.0.2131 build 20220815 and later, QTS 4.5.4.2125 build 20220810 and later. ===================================================================== https://www.qnap.com/fr-fr/security-advisory/qsa-22-22 https://www.qnap.com/fr-fr/security-advisory/qsa-22-23 _____________________________________________________________________ Multiple Vulnerabilities in Samba Release date: August 16, 2022 Security ID: QSA-22-22 Severity: High CVE identifier: CVE-2022-32742 | CVE-2022-2031 | CVE-2022-32744 | CVE-2022-32745 | CVE-2022-32746 Affected products: Certain QNAP NAS Status: Fixing Summary Multiple vulnerabilities have been reported to affect Samba: Medium, CVE-2022-32742: SMB1 Client with write access to a share can cause server memory contents to be written into a file or printer. Medium, CVE-2022-2031: The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services. High, CVE-2022-32744: The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover. Medium, CVE-2022-32745: Samba AD users can cause the server to access uninitialised data with an LDAP add or modify request, usually resulting in a segmentation fault. Medium, CVE-2022-32746: The AD DC database audit logging module can be made to access LDAP message values that have been freed by a preceding database module, resulting in a use-after-free. This is only possible when modifying certain privileged attributes, such as userAccountControl. Product Status The following QNAP operating system versions have been affected: QTS 5.0.1 QTS 5.0.0 QTS 4.5.x/4.4.x QTS 4.3.x QTS 4.2.x (CVE-2022-32742 only, will not fix) QuTS hero h5.0.1 QuTS hero h5.0.0 QuTS hero h4.5.x QuTScloud c5.0.1 We have already fixed the vulnerabilities in the following versions: QTS 5.0.0.2131 build 20220815 and later QTS 4.5.4.2125 build 20220810 and later Recommendation To secure your QNAP NAS, we strongly recommend the following actions: Do not expose SMB service to the internet. Disable SMB 1. Do not expose your NAS to the internet. If you enabled myQNAPcloud, set up myQNAPcloud on the NAS to enable secure remote access. Update your operating system to the latest version. Disabling SMB 1 Log on to QTS, QuTS hero or QuTScloud. Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking. Click Advanced Options. The Advanced Options window opens. Next to Lowest SMB version, select SMB 2 or higher. Click Apply. Reducing Internet Exposure Log in to your router. Disable the UPnP and DMZ functions. Disable all port forwarding rules. Use a VPN to reduce exposure of NAS services to the internet. For details, refer to this document. Setting Up myQNAPcloud on the NAS Log on to QTS, QuTS hero, or QuTScloud as an administrator. Open myQNAPcloud. Disable UPnP port forwarding. Go to Auto Router Configuration. Deselect Enable UPnP Port forwarding. Enable DDNS. Go to My DDNS. Click the toggle button to enable My DDNS. Do not publish your NAS services. Go to Published Services. Deselect all items under Publish. Click Apply. Configure myQNAPcloud Link to enable secure remote access to your NAS via a SmartURL. Go to myQNAPcloud Link. Click Install to install myQNAPcloud Link on your NAS. Click the toggle button to enable myQNAPcloud Link. Restrict which users who can remotely access your NAS via the SmartURL. Go to Access Control. Next to Device access controls, select Private or Customized. Note: Selecting Private allows only the QNAP ID logged in to myQNAPcloud to access the NAS via the SmartURL. Selecting Customized allows you to invite other QNAP ID accounts to access the device via the SmartURL. If you selected Customized, click Add and specify a QNAP ID to invite the user. Obtain the SmartURL by going to Overview. For questions on using myQNAPcloud, visit https://support.myqnapcloud.com/. Updating QTS, QuTS hero or QuTScloud Log on to QTS, QuTS hero or QuTScloud as administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. QTS, QuTS hero or QuTScloud downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Revision History: V1.0 (August 16, 2022) - Published _____________________________________________________________________ Multiple Vulnerabilities in Apache HTTP Server Release date: August 16, 2022 Security ID: QSA-22-23 Severity: Medium CVE identifier: CVE-2022-26377 | CVE-2022-28330 | CVE-2022-28614 | CVE-2022-28615 | CVE-2022-29404 | CVE-2022-30522 | CVE-2022-30556 | CVE-2022-31813 Affected products: Certain QNAP NAS Status: Fixing Summary Multiple vulnerabilities have been reported to affect Apach HTTP Server: Medium, CVE-2022-26377: Possible request smuggling Not affected, CVE-2022-28330: Read beyond bounds in mod_isapi Low, CVE-2022-28614: Read beyond bounds via ap_rwrite() Low, CVE-2022-28615: Read beyond bounds in ap_strcmp_match() Low, CVE-2022-29404: Denial of service in mod_lua r:parsebody Low, CVE-2022-30522: mod_sed denial of service Low, CVE-2022-30556: Information Disclosure in mod_lua with websockets Low, CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism Product Status The following QNAP operating systems have been affected: QTS 5.0.1 QTS 5.0.0 QTS 4.5.x/4.4.x QTS 4.3.x QuTS hero h5.0.1 QuTS hero h5.0.0 QuTS hero h4.5.x QuTScloud c5.0.1 We have already fixed the vulnerabilities in the following versions: QTS 5.0.0.2131 build 20220815 and later QTS 4.5.4.2125 build 20220810 and later Recommendation To secure your QNAP NAS, we strongly recommend the following actions: Do not expose your NAS to the internet. If you enabled myQNAPcloud, set up myQNAPcloud on the NAS to enable secure remote access. Update your operating system to the latest version. Reducing Internet Exposure Log in to your router. Disable the UPnP and DMZ functions. Disable all port forwarding rules. Use a VPN to reduce exposure of NAS services to the internet. For details, refer to this document. Setting Up myQNAPcloud on the NAS Log on to QTS, QuTS hero, or QuTScloud as an administrator. Open myQNAPcloud. Disable UPnP port forwarding. Go to Auto Router Configuration. Deselect Enable UPnP Port forwarding. Enable DDNS. Go to My DDNS. Click the toggle button to enable My DDNS. Do not publish your NAS services. Go to Published Services. Deselect all items under Publish. Click Apply. Configure myQNAPcloud Link to enable secure remote access to your NAS via a SmartURL. Go to myQNAPcloud Link. Click Install to install myQNAPcloud Link on your NAS. Click the toggle button to enable myQNAPcloud Link. Restrict which users who can remotely access your NAS via the SmartURL. Go to Access Control. Next to Device access controls, select Private or Customized. Note: Selecting Private allows only the QNAP ID logged in to myQNAPcloud to access the NAS via the SmartURL. Selecting Customized allows you to invite other QNAP ID accounts to access the device via the SmartURL. If you selected Customized, click Add and specify a QNAP ID to invite the user. Obtain the SmartURL by going to Overview. For questions on using myQNAPcloud, visit https://support.myqnapcloud.com/. Updating QTS, QuTS hero or QuTScloud Log on to QTS, QuTS hero or QuTScloud as administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. QTS, QuTS hero or QuTScloud downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Revision History: V1.0 (August 16, 2022) - Published ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================