Qnap Security Advisory QSA-22-03: Investigating Multiple Vulnerabilities in Samba

Qnap Systems, Inc. has published a security advisory concerning an investigation of multiple vulnerabilities in Samba.

Release date: February 10, 2022
Security ID: QSA-22-03
Severity: Critical
CVE identifier: CVE-2021-44141 | CVE-2021-44142 | CVE-2022-0336
Affected products: Qnap NAS
Status: Investigating

Summary
Multiple vulnerabilities in Samba have been reported to affect Qnap NAS. If exploited, these vulnerabilities allow attackers to access sensitive information, run arbitrary commands, and impersonate existing services:

CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share
CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution
CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services

The company is thoroughly investigating the vulnerabilities. The firm will release security updates and provide further information as soon as possible.

Recommendation
Before security updates are available, to secure your Qnap NAS the company recommend the following actions:

Disable SMB 1.
Deny guest access to all shared folders.

Disabling SMB 1

Log on to QTS or QuTS hero.
Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
Click Advanced Options.
The Advanced Options window opens.
Next to Lowest SMB version, select SMB 2 or higher.
Click Apply.

Denying guest access to shared folders

Log on to QTS or QuTS hero.
Go to Control Panel > Privilege > Shared Folders > Shared Folder.
Identify a shared folder.
Under Action, click the Edit Shared Folder Permission icon.
The Edit Shared Folder Permission window opens.
Next to Guest Access Right, select Deny access.
Click Apply.
Repeat steps 3-5 for each shared folder.

Revision history: V1.0 (February 10, 2022) – Published