What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Advertise with us
RAIDON

Qnap Security Advisory Bulletin ID: QSA-23-05

Concerning vulnerabilities in Samba

This is a Press Release edited by StorageNewsletter.com on June 22, 2023 at 2:00 pm

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the firm’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Vulnerabilities in Samba

Release date: June 14, 2023
Security ID: QSA-23-05
Severity: Medium
CVE identifier: CVE-2022-37966 | CVE-2022-37967 | CVE-2022-38023 | CVE-2022-45141

Affected products: Certain Qnap devices

Summary
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system.

Following Qnap OSs are affected:

  • QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances)

QES is not affected.

Only Qnap devices that run the affected OSs and also act as a domain controller or AD member are affected.

Standalone company’s devices are not affected by the vulnerabilities. The company is currently fixing the vulnerabilities in QTS, QuTS hero, QuTScloud and QVP (QVR Pro appliances).

Check this security advisory regularly for updates and promptly update your Qnap OS to the latest version as soon as it is available.

Recommendation
Because RC4 encryption poses a high security risk, we strongly recommend replacing RC4 with the more secure AES algorithm when using a Qnap device as a domain controller or AD member.

  • When the Qnap device acts as a domain controller, we strongly recommend enforcing AES encryption.

  • When the Qnap device acts as an AD member, the encryption method should follow that of the domain controller. We also strongly recommend that the domain controller is configured to enforce AES encryption.

Before security updates are available, depending on the AD domain role of your Qnap device, we recommend enforcing AES encryption only or at least allowing both AES and RC4 encryption to mitigate the risks posed by the vulnerabilities.

Checking current encryption enforcement status :

  1. SSH into your Qnap OS.
  2. Enter the following command:
    sudo testparm -sv 2>/dev/null | grep “reject md5 servers”

Enforcing AES encryption only

  1. SSH into your QNAP operating system.
  2. Enter the following commands:
    sudo setcfg global ‘reject md5 servers’ yes -f /etc/config/smb.conf
    sudo /etc/init.d/smb.sh restart

Allowing Both AES and RC4 encryption

  1. SSH into your Qnap OS.
  2. Enter the following commands:
    sudo setcfg global ‘reject md5 servers’ no -f /etc/config/smb.conf
    sudo /etc/init.d/smb.sh restart

Attachment

Revision history:
V1.0 (June 14, 2023) – Published

Questions regarding this issue, contact the company.
Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E