What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Advertise with us
RAIDON

Qnap Security Advisory QSA-22-23 Fixing Multiple Vulnerabilities in Apache HTTP Server

Fixing status, affecting certain version of QTS, QuTS hero NAS OS, and QuTScloud

This is a Press Release edited by StorageNewsletter.com on August 22, 2022 at 2:01 pm

Qnap Systems, Inc. had published a security advisory concerning multiple vulnerabilities in Apache HTTP server in use with QTS NAS OS.

Release date: August 16, 2022

Security ID: QSA-22-23

Severity: Medium

CVE identifier: CVE-2022-26377 | CVE-2022-28330 | CVE-2022-28614 | CVE-2022-28615 | CVE-2022-29404 | CVE-2022-30522 | CVE-2022-30556 | CVE-2022-31813

Affected products: Certain Qnap NAS

Status: Fixing

Summary
Multiple vulnerabilities have been reported to affect Apache HTTP Server:

  •  Medium, CVE-2022-26377: Possible request smuggling 
  •  Not affected, CVE-2022-28330: Read beyond bounds in mod_isapi 
  •  Low, CVE-2022-28614: Read beyond bounds via ap_rwrite() 
  •  Low, CVE-2022-28615: Read beyond bounds in ap_strcmp_match() 
  •  Low, CVE-2022-29404: Denial of service in mod_lua r:parsebody 
  •  Low, CVE-2022-30522: mod_sed denial of service 
  •  Low, CVE-2022-30556: Information Disclosure in mod_lua with websockets 
  •  Low, CVE-2022-31813: mod_proxy X-Forwarded-For dropped by hop-by-hop mechanism 
      
Product status
Following Qnap OS have been affected:
  •  QTS 5.0.1 
  •  QTS 5.0.0 
  •  QTS 4.5.x/4.4.x 
  •  QTS 4.3.x 
  •  QuTS hero h5.0.1 
  •  QuTS hero h5.0.0 
  •  QuTS hero h4.5.x 
  •  QuTScloud c5.0.1 
The company have already fixed vulnerabilities in following versions:
  •  QTS 5.0.0.2131 build 20220815 and later 
  •  QTS 4.5.4.2125 build 20220810 and later 
Recommendation
To secure Qnap NAS, we strongly recommend following actions:
Do not expose NAS to the internet. 
If you enabled myQnapcloud, set up myQnapcloud on the NAS to enable secure remote access. 
Update OS to the latest version. 

Reducing Internet exposure
Log in to your router. 
Disable the UPnP and DMZ functions. 
Disable all port forwarding rules. 
Use a VPN to reduce exposure of NAS services to the internet. 
For details, refer to this document. 

Setting Up myQnapcloud on NAS 
Log on to QTS, QuTS hero, or QuTScloud as an administrator.  
Open myQnapcloud.  

Disable UPnP port forwarding.  
Go to Auto Router Configuration.  
Deselect Enable UPnP Port forwarding.  

Enable DDNS.  
Go to My DDNS.   
Click the toggle button to enable My DDNS.  

Do not publish your NAS services.  
Go to Published Services.   
Deselect all items under Publish.  
Click Apply.  

Configure myQnapcloud Link to enable secure remote access to your NAS via a SmartURL.  
Go to myQnapcloud Link.  
Click Install to install myQnapcloud Link on your NAS.  
Click the toggle button to enable myQnapcloud Link.  

Restrict which users who can remotely access your NAS via the SmartURL.  
Go to Access Control.  
Next to Device access controls, select Private or Customized. 

Note: Selecting Private allows only the Qnap ID logged in to myQnapcloud to access the NAS via the SmartURL. 
Selecting Customized allows you to invite other Qnap ID accounts to access the device via the SmartURL.   
If you selected Customized, click Add and specify a Qnap ID to invite the user.  

Obtain the SmartURL by going to Overview. 
For questions on using myQnapcloud, visit this website page.

Updating QTS, QuTS hero or QuTScloud
Log on to QTS, QuTS hero or QuTScloud as administrator. 
Go to Control Panel > System > Firmware Update. 
Under Live Update, click Check for Update.
QTS, QuTS hero or QuTScloud downloads and installs the latest available update. 

Tip: You can also download the update from the company’s website. 
Go to Support > Download Center and then perform a manual update for your specific device.

Revision history: V1.0 (August 16, 2022) - Published
Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E