[BreachExchange] QNAP Working on Patches for OpenSSL Flaws Affecting its NAS Devices

Wed Sep 1 08:51:13 EDT 2021

https://thehackernews.com/2021/09/qnap-working-on-patches-for-openssl.html

Network-attached storage (NAS) appliance maker QNAP said it's currently
investigating two recently patched security flaws in OpenSSL to determine
their potential impact, adding it will release security updates should its
products turn out to be vulnerable.

Tracked as CVE-2021-3711 (CVSS score: 7.5) and CVE-2021-3712 (CVSS score:
4.4), the weaknesses concern a high-severity buffer overflow in SM2
decryption function and a buffer overrun issue when processing ASN.1
strings that could be abused by adversaries to run arbitrary code, cause a
denial-of-service condition, or result in disclosure of private memory
contents, such as private keys, or sensitive plaintext —

   - CVE-2021-3711 - OpenSSL SM2 decryption buffer overflow
   - CVE-2021-3712 - Read buffer overruns processing ASN.1 strings

"A malicious attacker who is able present SM2 content for decryption to an
application could cause attacker chosen data to overflow the buffer by up
to a maximum of 62 bytes altering the contents of other data held after the
buffer, possibly changing application behaviour or causing the application
to crash," according to the advisory for CVE-2021-3711.

OpenSSL, a widely used open-source cryptographic library that provides
encrypted connections using Secure Sockets Layer (SSL) or Transport Layer
Security (TLS), addressed the issues in versions OpenSSL 1.1.1l and 1.0.2za
that were shipped on August 24.

In the meanwhile, NetApp on Tuesday confirmed that the flaws affect the
following products, while it continues to assess the rest of its lineup —

   - Clustered Data ONTAP
   - Clustered Data ONTAP Antivirus Connector
   - E-Series SANtricity OS Controller Software 11.x
   - NetApp Manageability SDK
   - NetApp SANtricity SMI-S Provider
   - NetApp SolidFire & HCI Management Node
   - NetApp Storage Encryption

The development follows days after NAS maker Synology also disclosed that
it's opened an investigation into a number of models, comprising DSM 7.0,
DSM 6.2, DSM UC, SkyNAS, VS960HD, SRM 1.2, VPN Plus Server, and VPN Server,
to check if they are affected by the same two flaws.

"Multiple vulnerabilities allow remote attackers to conduct
denial-of-service attack[s] or possibly execute arbitrary code via a
susceptible version of Synology DiskStation Manager (DSM), Synology Router
Manager (SRM), VPN Plus Server or VPN Server," the Taiwanese company said
in an advisory.

Other companies whose products rely on OpenSSL have also released security
bulletins, including —

   - Debian
   - Red Hat (CVE-2021-3711, CVE-2021-3712)
   - SUSE (CVE-2021-3711, CVE-2021-3712), and
   - Ubuntu (CVE-2021-3711, CVE-2021-3712).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210901/161135bd/attachment.html>