Taiwanese business QNAP this week revealed that a selected variety of its network-attached storage (NAS) devices are affected by a recently-disclosed bug in the open-source OpenSSL cryptographic library.
“An unlimited loop vulnerability in OpenSSL has been reported to impact certain QNAP NAS,” the business said in an advisory published on March 29, 2022. “If made use of, the vulnerability allows assaulters to carry out denial-of-service attacks.”
Tracked as CVE-2022-0778 (CVSS rating: 7.5), the problem connects to a bug that emerges when parsing security certificates to activate a denial-of-service condition and from another location crash unpatched devices.
QNAP, which is currently investigating its line-up, said it affects the
QTS 4.2.6 and later on QuTS hero h5.0.x and later QuTS hero h4.5.4 and later on, and QuTScloud c5.0.x To date, there is no evidence that the vulnerability has been exploited in the wild. Although Italy’s Computer system Security Occurrence Response Group (CSIRT) released an advisory to the contrary on March 16, the agency clarified to The Hacker News that it has actually “updated the alert with an errata corrige.”
The advisory comes a week after QNAP released security updates for QuTS hero (variation h18.104.22.1689 develop 20220215 and later) to address the “Dirty Pipe” local privilege escalation defect affecting its gadgets. Patches for QTS and QuTScloud running systems are expected to be released soon.