Synology has warned customers that some of its network-attached storage (NAS) appliances are exposed to attacks exploiting multiple critical Netatalk vulnerabilities. “Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM),” Synology said. Netatalk is an AFP (short for Apple Filing Protocol) open-source implementation that allows systems running *NIX/*BSD to act as AppleShare file servers (AFP) for macOS clients (i.e., to access files stored on Synology NAS devices).
The Netatalk development team addressed the security bugs in version 3.1.1, released on March 22, three months after the Pwn2Own 2021 hacking competition, where they were first disclosed and exploited. The NCC Group’s EDG team exploited the security flaw (tracked as CVE-2022-23121 and rated with a 9.8/10 severity score) to achieve remote code execution without authentication on a Western Digital PR4100 NAS running My Cloud OS firmware during the Pwn2Own contest. Synology highlighted three other bugs in today’s warning (i.e., CVE-2022-23125, CVE-2022-23122, CVE-2022-0194) that have also received identical severity ratings.
They’re also enabling unauthenticated attackers to execute arbitrary code remotely on unpatched devices. Even though the Netatalk development team has released security patches to address the flaws last month, Synology says that releases for some of the impacted products are still “ongoing.”
Although the NAS maker doesn’t provide an estimated timeline for these incoming updates, Synology told reporters last year that it generally issues patches for affected software within 90 days of publishing advisories. The company also added that the Netatalk vulnerabilities have already been fixed for appliances running DiskStation Manager (DSM) 7.1 or later. QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company’s cloud-optimized NAS operating system. Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 184.108.40.2062 build 20220419 and later.
Earlier this week, QNAP, another Taiwanese NAS appliance maker, urged its customers to disable their NAS devices’ AFP file service protocol until it fixes the critical Netatalk security flaws. “QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible,” the NAS maker said. We recommend users to check back and install security updates as soon as they become available.”