Security ID : QSA-23-05
Vulnerabilities in Samba
Release date : June 14, 2023
CVE identifier : CVE-2022-37966 | CVE-2022-37967 | CVE-2022-38023 | CVE-2022-45141
Affected products: QTS 5.1.x, 5.0.x, 4.5.x; QuTS hero h5.1.x, h5.0.x, h4.5.x; QuTScloud c5.x
Severity
Moderate
Status
Resolved
Summary
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba, including vulnerabilities related to RC4 encryption. If exploited, some of these vulnerabilities allow an attacker to take control of an affected system.
Only QNAP devices that run the affected operating systems and also act as a domain controller or AD member are affected.
Standalone QNAP devices are not affected by the vulnerabilities.
We have already fixed the vulnerabilities in the following versions:
| Affected Product | Fixed Version |
| QTS 5.1.x | QTS 5.1.0.2444 build 20230629 and later |
| QTS 5.0.x | QTS 5.0.1.2425 build 20230609 and later |
| QTS 4.5.x | QTS 4.5.4.2467 build 20230718 and later |
| QuTS hero h5.1.x | QuTS hero h5.1.0.2424 build 20230609 and later |
| QuTS hero h5.0.x | QuTS hero h5.0.1.2515 build 20230907 and later |
| QuTS hero h4.5.x | QuTS hero h4.5.4.2476 build 20230728 and later |
| QuTScloud c5.x | QuTScloud c5.1.0.2498 and later |
Recommendation
To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.
Updating QTS, QuTS hero, or QuTScloud
- Log in to QTS, QuTS hero, or QuTScloud as an administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
The system downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Recommendation for Users Who Decide Not to Update
If at this time you decide not to update your QNAP operating system to a fixed version, we strongly recommend replacing RC4 with the more secure AES algorithm when using your QNAP device as a domain controller or AD member:
- When the QNAP device acts as a domain controller, we strongly recommend enforcing AES encryption.
- When the QNAP device acts as an AD member, the encryption method should follow that of the domain controller. We also strongly recommend that the domain controller is configured to enforce AES encryption.
Depending on the AD domain role of your QNAP device, we recommend enforcing AES encryption only or at least allowing both AES and RC4 encryption to mitigate the risks posed by the vulnerabilities.
Checking the Current Encryption Enforcement Status
- SSH into your QNAP operating system.
- Enter the following command:
sudo testparm -sv 2>/dev/null | grep "reject md5 servers"
Enforcing AES Encryption Only
- SSH into your QNAP operating system.
- Enter the following commands:
sudo setcfg global 'reject md5 servers' yes -f /etc/config/smb.conf
sudo /etc/init.d/smb.sh restart
Allowing Both AES and RC4 Encryption
- SSH into your QNAP operating system.
- Enter the following commands:
sudo setcfg global 'reject md5 servers' no -f /etc/config/smb.conf
sudo /etc/init.d/smb.sh restart
Attachment
Revision History:
V1.0 (June 14, 2023) - Published
V2.0 (December 08, 2023) - All versions resolved
