this post was submitted on 14 Jun 2023
9 points (90.9% liked)

Cybersecurity

5733 readers
74 users here now

c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.

THE RULES

Instance Rules

Community Rules

If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.

Learn about hacking

Hack the Box

Try Hack Me

Pico Capture the flag

Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected] [email protected] [email protected]

Notable mention to [email protected]

founded 1 year ago
MODERATORS
9
submitted 1 year ago* (last edited 1 year ago) by Tempiz to c/cybersecurity
 

Received this QNAP security bulletin this morning. Update your QNAP products!

June 14, 2023 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Vulnerabilities in Samba

Release date: June 14, 2023 Security ID: QSA-23-05 Severity: Medium CVE identifier: CVE-2022-37966 | CVE-2022-37967 | CVE-2022-38023 | CVE-2022-45141 Affected products: Certain QNAP Devices

Summary

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system. The following QNAP operating systems are affected:

• QTS, QuTS hero, QuTScloud, QVP (QVR Pro appliances) QES is not affected.

Only QNAP devices that run the affected operating systems and also act as a domain controller or AD member are affected.

Standalone QNAP devices are not affected by the vulnerabilities.

QNAP is currently fixing the vulnerabilities in QTS, QuTS hero, QuTScloud and QVP (QVR Pro appliances).

Please check this security advisory regularly for updates and promptly update your QNAP operating system to the latest version as soon as it is available.

Recommendation

Because RC4 encryption poses a high security risk, we strongly recommend replacing RC4 with the more secure AES algorithm when using a QNAP device as a domain controller or AD member.

• When the QNAP device acts as a domain controller, we strongly recommend enforcing AES encryption. • When the QNAP device acts as an AD member, the encryption method should follow that of the domain controller. We also strongly recommend that the domain controller is configured to enforce AES encryption. Before security updates are available, depending on the AD domain role of your QNAP device, we recommend enforcing AES encryption only or at least allowing both AES and RC4 encryption to mitigate the risks posed by the vulnerabilities.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here