QNAP has asked their user to change Apache server configuration files to mitigate two new critical vulnerabilities in their network attached storage devices (NAS) that would allow attackers to exploit Apache HTTP Servers. The flaws (tracked as CVE-2022-22721 and CVE-2022-23943) were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier. CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device. The exploitation is done remotely in low complexity attacks and does not require user authentication.
Analyst Notes
Patches have not been made available for these vulnerabilities at the time of writing, but QNAP does explain that there are mitigations that can take place in the meantime to better protect their clients. Customers should keep the default value “1M” for LimitXMLRequestBody to mitigate CVE-2022-22721 attacks and disable mod_sed as a CVE-2022-23943 mitigation. The company also notes that the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
https://www.bleepingcomputer.com/news/security/qnap-asks-users-to-mitigate-critical-apache-http-server-bugs/
