QNAP looks into Patches for OpenSSL Flaws
QNAP (Quality Network Appliance Provider), the Taiwanese corporation, announced its investigation for two security flaws in OpenSSL to identify their impact. In case the products turn out to be vulnerable, it will release updates for the same.
The vulnerabilities relate to a severe buffer overflow in the SM2 decryption function and the issue of buffer overrun while processing ASN.1 strings. These could be abused by attackers for arbitrary code execution, denial-of-service condition, or disclosure of private memory contents, including private keys or sensitive plaintext. The vulnerabilities are:
- CVE-2021-3711 (CVSS score: 7.5)- OpenSSL SM2 decryption buffer overflow
- CVE-2021-3712 (CVSS score: 4.4)- Read buffer overruns processing ASN.1 strings
The advisory for CVE-2021-3711 states that a cybercriminal who presents SM2 content for decryption to an application can lead the attacker-chosen data to overflow the buffer by 62 bytes changing the contents of data held after the buffer, causing a change in the application behavior or crashing the application.
OpenSSL is a strong, full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It addressed the issues in the OpenSSL 1.1.1l and 1.0.2za versions.
QNAP is a comprehensive solutions provider in software development, hardware strategy, and in-house manufacturing. QNAP has now stepped into a Cloud NAS solution that joins its front-line subscription-based software and expanded service ecosystem.
NetApp highlighted that the flaws impact the following products, while analyzing the others in its listing:
- Clustered Data ONTAP
- Clustered Data ONTAP Antivirus Connector
- E-Series SANtricity OS Controller Software 11.x
- NetApp Manageability SDK
- NetApp SANtricity SMI-S Provider
- NetApp SolidFire & HCI Management Node
- NetApp Storage Encryption
The Taiwanese company also pointed out to the fact that a number of vulnerabilities enable the threat actors to carry out actions such as denial-of-service attacks or arbitrary code execution through an exposed version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server or VPN Server.
Security bulletins have also been released by companies whose products depend on OpenSSL. These include Debian, Red Hat (CVE-2021-3711, CVE-2021-3712), SUSE (CVE-2021-3711, CVE-2021-3712), and Ubuntu (CVE-2021-3711, CVE-2021-3712).