Security ID : NAS-201908-01
Security Advisory for Samba
Release date : August 1, 2019
CVE identifier : CVE-2019-3880 | CVE-2019-3824
Affected products: All QNAP NAS running QTS 4.2.6 and earlier versions
Severity
Moderate
Status
Resolved
Summary
Two reported Samba 4.0 vulnerabilities may affect QNAP NAS devices running QTS 4.2.6 and earlier versions. Below are the details for each CVE.
- CVE-2019-3880: This path traversal vulnerability affects an RPC endpoint implemented in Samba that emulates the Windows registry service API. If exploited, attackers may be able to access the Samba share.
- CVE-2019-3824: If exploited, authenticated users can use specific search expressions to crash the shared LDAP process of the AD DC. This leads to denial-of-service.
We have already fixed these issues in the following QTS versions:
- QTS 4.4.1: build 20190626 and later
- QTS 4.4.0: build 20190627 and later
- QTS 4.3.6: build 20190531 and later
- QTS 4.3.4: build 20190701 and later
- QTS 4.3.3: build 20190629 and later
- QTS 4.2.6: build 20190629 and later
Recommendation
To fix these vulnerabilities, we recommend updating QTS to the latest version.
Installing the QTS Update
- Log on to QTS as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Revision History: V1.0 (August 1, 2019) - Published
