Taiwanese company QNAP has said to customers that they should stop the AFP file service protocol on their network-attached storage (NAS) equipment until it patches serious Netatalk flaws. Netatalk is an open-source AFP (Apple Filing Protocol) implementation that allows *NIX/*BSD computers to serve as an AppleShare file server (AFP) to macOS clients.
AFP allows macOS PCs to access data stored on QNAP NAS machines. It’s still in use, according to QNAP, since it “supports many unique macOS attributes that are not supported by other protocols.” During the Pwn2Own 2021 hacking competition, NCC Group’s EDG team members exploited one of these security flaws, identified as CVE-2022-23121, and with a severity score of 9.8/10, to accomplish remote code execution without authentication on a Western Digital PR4100 NAS running My Cloud OS firmware.
Three more issues that QNAP notified its customers about (CVE-2022-23125, CVE-2022-23122, CVE-2022-0194) all obtained a 9.8/10 severity rating, allowing unauthenticated attackers to potentially execute arbitrary code without needing authentication on unpatched devices. Three months after the issues were disclosed during the Pwn2Own contest, the Netatalk development team published version 3.1.13 to patch these security problems on March 22.
According to QNAP, the following operating systems are affected by the Netatalk vulnerabilities (fixed in QTS 220.127.116.112 build 20220419 and later):
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
“QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible,” said the NAS maker. “To mitigate these vulnerabilities, disable AFP. We recommend users to check back and install security updates as soon as they become available.”
You must go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking and choose Disable AFP to disable AFP (Apple Filing Protocol) on your QTS or QuTS hero NAS device. QNAP is also fixing a Linux vulnerability known as ‘Dirty Pipe,’ which has been extensively exploited in attacks and allows acquiring root capabilities, as well as a high severity OpenSSL flaw that can cause DoS situations and remote crashes.
While the Dirty Pipe weakness in NAS systems using QuTScloud c5.0.x has yet to be addressed, QNAP has just published QTS security upgrades for the OpenSSL DoS flaw about which it alerted customers a month ago. Customers were also instructed a week ago to mitigate a pair of severe Apache HTTP Server problems that had been added to the list of vulnerabilities that needed to be fixed for devices running QTS, QuTS hero, and QuTScloud.