Taipei, Taiwan, April 19, 2016 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Security Alert for Badlock on File Sharing Using Microsoft Networking (Samba)
Release date: April 19, 2016
Last updated: April 19, 2016
Bulletin ID: NAS-201604-19
Severity rating: High
Affected products:
- All QNAP NAS running the Microsoft Networking service (Samba)
Summary
The Samba Team has announced several security vulnerabilities affecting Samba services. One of them is known as "Badlock" and is found in Distributed Computing Environment (DCE)/Remote Procedure Calls (RPC) protocols. It allows for exploitation of privilege vulnerabilities when there is a client connection authenticated against a server running Microsoft file sharing or Samba service. In addition to the Badlock (CVE-2016-2118) vulnerability, there are other related security flaws affecting Samba configured as a standalone server (CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2114, and CVE-2016-2115). These vulnerabilities allow for a downgrade of the authentication level of LDAP connections, execution of applications to sniff network traffic, improper validation of TLS/SSL certificates, unprotected client connection for IPC traffic, and more. Successful exploitation of these vulnerabilities could lead to denial-of-Service (DoS) and man-in-the-middle (MITM) attacks and further result in loss of control of associated services or impact the connectivity to the Samba service.
Solution
Update your system to QTS 4.2.0 and then apply Qfix (BadlockFix_4.2.0.1). This Qfix is only applicable to QTS 4.2.0.
1. Go to the download page of the QNAP website (
http://www.qnap.com/download) and choose your NAS model. Read the release note before downloading the Qfix.
2. Log into your NAS as an administrator, go to “Control Panel”> “Firmware Update”, and choose the “Firmware Update” tab. Follow the on-screen instructions to install the Qfix.
For more detailed instructions on how to apply a Qfix, please see
How to install a Qfix?
We strongly recommend that users update their firmware to the latest version. However, we will release a Qfix for previous firmware versions at a later date.
Note: Please note that the Microsoft Networking service will restart after you install this Qfix. You do not need to reboot your NAS.
Network Security Advice
To enhance the security level of the Samba service on your QNAP NAS and to better protect against unwanted connections, please implement the following security practices:
1. Permit connectivity only from trusted addresses
Log into your NAS as an administrator, and then go to “Control Panel”> “Security”> “Security Level”. Select “Allow connections from the list only” to allow only permitted addresses to connect to the NAS, or select “Deny connections from the list” to block specific IP addresses regardless of the services or protocols used for connection.
2. Restrict connectivity to shared folders via Microsoft Networking
Log into your NAS as an administrator, and then go to “Control Panel”> “Privilege Settings”> “Shared Folders”. Select a shared folder and choose “Microsoft Networking host access” from the drop-down menu and specify the hosts or IP addresses that are allowed to connect to this shared folder to filter unwanted connections.
If you have any questions regarding this issue, please contact us at
http://helpdesk.qnap.com/.