QNAP is warning clients that a recently disclosed vulnerability affects most of its NAS devices, with no mitigation available while the vendor readies a patch.
Customers of Taiwan-based QNAP Systems are in a bit of limbo, waiting until the company releases a patch for an OpenSSL bug that the company has warned affects most of its network-attached storage (NAS) devices. The vulnerability can trigger an infinite loop that creates a denial-of-service (DoS) scenario.
Though the bug – tracked as CVE-2022-0778 and rated 7.5 (high severity) on the CVSS severity-rating scale – has been patched by OpenSSL, QNAP hasn’t gotten around to applying a fix yet for its NAS devices affected by the vulnerability. The company is telling customers that “there is no mitigation available” and they “must check back and install security updates as soon as they become available.”
“QNAP is thoroughly investigating the case,” the company said. “We will release security updates and provide further information as soon as possible.”
The vulnerability is in OpenSSL’s BN_mod_sqrt() function, which computes a modular square root. The bug can be triggered by crafting a certificate that has invalid explicit curve parameters, causing the function to loop forever,