Quote:On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices.
 
The vulnerabilities are tracked as CVE-2021-3711 – a high-severity buffer overflow related to SM2 decryption– and CVE-2021-3712, a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents.
 
These OpenSSL flaws are spreading ripples far and wide. That’s because OpenSSL is mostly used by network software – including being widely used by Internet servers and the majority of HTTPS websites – that use the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.
 
TLS has replaced SSL, which contained what Sophos’s Paul Ducklin called a “huge” number of cryptographic flaws. But many popular open-source programming libraries that support it – including OpenSSL, LibreSSL and BoringSSL, “have kept old-school product names for the sake of familiarity,” Ducklin commented in a recent drilldown into the OpenSSL bugs.
 
QNAP on Monday joined a parade of organizations whose products rely on OpenSSL and which are either investigating the flaws (in QNAP’s case) or have already released security advisories, including Linux distributions such as Red Hat (not affected), Ubuntu, SUSE, Debian and Alpine Linux.