QNAP warns users to disable AFP until it fixes critical bugs

Taiwanese company QNAP this week asked its customers to disable the AFP file service protocol on their network-attached storage (NAS) devices until it fixes several critical Netatalk vulnerabilities.

Netatalk is an open source implementation of AFP (short for Apple Filing Protocol) that allows *NIX/*BSD systems to act as an AppleShare (AFP) file server for macOS clients.

On QNAP NAS devices, AFP allows macOS systems to access data on the NAS. According to QNAP, it’s still in use because it “supports many unique macOS attributes that are not supported by other protocols.”

Members of the NCC Group EDG team exploited one of these security flaws, identified as CVE-2022-23121 and rated with a severity score of 9.8/10, to achieve code execution at remotely without authentication in the 2021 Pwn2Own Hacking Contest on a Western Digital PR4100 NAS running My Cloud OS Firmware.

Three of the other bugs that QNAP notified customers of also received severity ratings of 9.8/10 (vs. remote without requiring authentication on unpatched devices.

On March 22, the Netatalk development team released version 3.1.13 to fix these security bugs, three months after the flaws were reported following the Pwn2Own competition.

QNAP reports that the Netatalk vulnerabilities (fixed in QTS build 20220419 and later) impact the following operating system versions:

  • QTS 5.0.x and later
  • QTS 4.5.4 and later
  • QTS 4.3.6 and later
  • QTS 4.3.4 and later
  • QTS 4.3.3 and later
  • QTS 4.2.6 and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.4 and later
  • QuTScloud c5.0.x

QNAP: Disable AFP until firmware is fixed

“QNAP is thoroughly investigating the matter. We will release security updates for all affected QNAP OS versions and provide additional information as soon as possible,” the NAS maker said.

“To mitigate these vulnerabilities, disable AFP. We recommend that users check and install security updates as they become available.”

To disable AFP on your QTS or QuTS hero NAS device, you will need to go to Control Panel > Network and File Services > Win/Mac/NFS/WebDAV > Apple Networking and select Disable AFP (Apple Filing Protocol).

QNAP is also working on resolving a Linux vulnerability called “Dirty Pipe” that is actively exploited in attacks to obtain root privileges and a high-severity OpenSSL bug that can lead to denial of service (DoS) states and crashes at distance.

While the Dirty Pipe flaw remains to be patched for NAS devices running QuTScloud c5.0.x, QNAP has only released QTS security updates for the OpenSSL DoS flaw it warned customers about a month.

A week ago, customers were also advised to mitigate a pair of critical Apache HTTP Server bugs added to the queue of vulnerabilities that need to be fixed for devices running QTS, QuTS hero, and QuTScloud.

Previous Fiscal consolidation under threat as prices continue to rise
Next What is clickjacking and how can hackers steal your confidential data? All you need to know