QNAP says it is working on patches for OpenSSL bugs impacting its NAS devices

A ticking time bomb

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Taiwanese storage manufacturerQNAPhas acknowledged that some of itsNetwork-Attached Storage (NAS)devices are impacted by the vulnerabilitiesreported by OpenSSL, though it is still to release a fix.

According to the company, the OpenSSL security flaws tracked asCVE-2021-3711andCVE-2021-3712, impact its devices that run its QTS, QuTS hero, QuTScloudoperating system, as well as the Hybrid Backup Sync (HBS 3) data backup and disaster recovery solution.

In itsadvisory, QNAP explains that the vulnerabilities can be exploited to enable remote attackers to read data in the memory of the affected device, trigger a denial-of-service (DoS) attack, or run arbitrary code with the same permissions as that of the user running the HBS 3 app.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“QNAP is thoroughly investigating the case. We will release security updates and provide further information as soon as possible,” read the QNAP advisory.

What’s the hold up?

Interestingly, the OpenSSL development team has already releasedOpenSSL v1.1.1lto address the flaws last week, on August 24.

However, the latest QNAP advisories only acknowledge the presence of the vulnerabilities in its devices. Not only has the company not released a fix, it hasn’t even put out an estimated date by which users can expect a patch.

QNAP isn’t alone though. Last week, fellow Taiwanese NAS vendorSynologyalsoacknowledged the presenceof the OpenSSL vulnerabilities in a slew of its products. And just like QNAP, Synology too hasn’t yet addressed the flaws, and instead tags them as “Pending” and “Ongoing”.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Internet-connected NAS devices are one of thefavorite targets of attackers, and both Synology and QNAP have been on the receiving end of such campaigns.

Although there haven’t yet been reports of a campaign against these devices that capitalize on the OpenSSL vulnerabilities, the delay in issuing patches should be a cause of concern for owners of the vulnerable devices.

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption

Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs

Anker Nebula Mars 3 review: A powerful and truly portable projector