Warning: Multiple vulnerabilities found in the Netatalk protocol affecting QNAP and Synology NAS devices
Exploiting these vulnerabilities could allow an unauthenticated remote attacker to execute arbitrary code on appliances that implement the vulnerable netatatalk protocol. Netatalk, is an open-source version of the Apple File Protocol fileserver for accessing network shares in multiple operating system environments. Netatalk is implemented by Network Attached Storage device vendors QNAP & Synology.
At the time of writing (2 May 2022), there are no observations of active exploitation attempts reported. Please be cautious NAS deployments are frequent targets of cybercriminal groups, especially ransomware and data theft operations. Opportunistic attacks can occur in a short timeframe.
The CCB urges system administrators to patch the vulnerable systems as soon as possible.
On the 25th of April 2022, QNAP published a security advisory regarding multiple vulnerabilities affecting Netatalk, which is an open-source implementation of the Apple Filing Protocol (AFP) used by QNAP devices so that they can act as a file server for macOS clients.
While Netatalk 3.1.13 was released to address these vulnerabilities, users will need to update their QNAP devices in order to remediate the vulnerable Netatalk versions.
Following QNAP’s publication, on the 28th of April, Synology published a similar security advisory regarding the same Netatalk vulnerabilities affecting multiple versions of Synology’s DiskStation Manager and Router Manager.
At the time of this writing only QNAP QTS version 220.127.116.112 build 20220419 and later, and Synology DSM version 7.1-42661-1 and later are protected. Both companies are currently working on patches for the other affected software versions.
QNAP recommends disabling the use of AFP as a mitigation until patches are available.
Synology recommends contacting their technical support for immediate assistance.
- The Centre for Cyber Security Belgium recommends system administrators of QNAP/Synology devices to monitor the respective advisory pages and to update their devices when updates become available.
- Disconnect vulnerable devices that are connected to the internet, if there is no business use-case.