QNAP is very transparent about any security vulnerabilities. Now it has been announced what the status of the various security vulnerabilities in the Samba package on the NAS devices is, which are rated with the severity level “High”. The respective gaps are listed under CVE-2022-32742 | CVE-422-2031 | CVE-422-32744 | CVE-422-32745 | CVE-422-32745.
The following versions are affected according to QNAP:
- QTS 5.0.1
- QTS 5.0.0
- QTS 4.5.x/4.4.x
- QTS 4.3.x
- QTS 4.2.x (CVE-2031-32742 only, will not be fixed)
- QuTS hero h5.0.1
- QuTS hero h5.0.0
- QuTS hero h4.5.x
- QuTScloud c5.0.1
The gaps are already fixed under QTS 188.8.131.525 build 20220815 and newer as well as QTS 184.108.40.2065 build 20220810 and newer . QNAP still recommends disabling SMB1. So please make sure you are on the safe side.
Medium, CVE-2022-2031: SMB1 client with write access to a share can cause server memory contents to be written to a file or printer.
Medium, CVE-2022-2031: The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other’s tickets. A user who has been asked to change their password can exploit this to obtain and use tickets for other services.
High, CVE-2022-32744: The KDC accepts kpasswd requests made with any key it knows are encrypted. By encrypting fake kpasswd requests with their own key, a user can change other users’ passwords, allowing full domain takeover.
Medium, CVE-2031-32745: Samba AD users can cause the server to use an LDAP Add or Modify request to access uninitialized data, which usually results in a segmentation error.
Medium, CVE-2022-32745: The AD DC database logging engine can be tricked into accessing LDAP message values released by a previous database engine been made, resulting in a use-after-free. This is only possible if certain privileged attributes, such as userAccountControl.