QNAP has asked customers to apply mitigation measures to block attempts to exploit Apache HTTP Server security vulnerabilities impacting their network-attached storage (NAS) devices.
The flaws (tracked as CVE-2022-22721 and CVE-2022-23943) were tagged as critical with severity base scores of 9.8/10 and impact systems running Apache HTTP Server 2.4.52 and earlier.
As revealed by NVD analysts’ evaluation [1, 2], unauthenticated attackers can exploit the vulnerabilities remotely in low complexity attacks without requiring user interaction.
QNAP is currently investigating the two security bugs and plans to release security updates in the near future.
“CVE-2022-22721 affects 32-bit QNAP NAS models, and CVE-2022-23943 affects users who have enabled mod_sed in Apache HTTP Server on their QNAP device,” the Taiwan-based NAS maker explained.
“We are thoroughly investigating the two vulnerabilities that affect QNAP products, and will release security updates as soon as possible.”
No patches yet but mitigation available
Until patches are available, QNAP advises customers to keep the default value “1M” for LimitXMLRequestBody to mitigate CVE-2022-22721 attacks and disable mod_sed as CVE-2022-23943 mitigation.
The company also notes that the mod_sed in-process content filter is disabled by default in Apache HTTP Server on NAS devices running the QTS operating system.
QNAP is also working on security updates to address a high severity Linux vulnerability dubbed ‘Dirty Pipe’ that enables attackers with local access to gain root privileges.
NAS devices running multiple versions of QTS, QuTS hero, and QuTScloud are also affected by a high severity OpenSSL bug that threat actors can exploit to trigger denial of service (DoS) states and remotely crash vulnerable devices.
While the Dirty Pipe bug remains to be fixed for devices running QuTScloud c5.0.x, QNAP has yet to release patches for the OpenSSL DoS flaw it warned customers three weeks ago.
The company says there is no mitigation for these two vulnerabilities and recommends that customers “check back and install security updates as soon as they become available.”
Source: https://www.bleepingcomputer.com/news/security/qnap-asks-users-to-mitigate-critical-apache-http-server-bugs/
