Multiple Vulnerabilities in Samba

Summary

Multiple vulnerabilities have been reported to affect Samba:

• Medium, CVE-2022-32742: SMB1 Client with write access to a share can cause server memory contents to be written into a file or printer.
• Medium, CVE-2022-2031: The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services.
• High, CVE-2022-32744: The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover.
• Medium, CVE-2022-32745: Samba AD users can cause the server to access uninitialised data with an LDAP add or modify request, usually resulting in a segmentation fault.
• Medium, CVE-2022-32746: The AD DC database audit logging module can be made to access LDAP message values that have been freed by a preceding database module, resulting in a use-after-free. This is only possible when modifying certain privileged attributes, such as userAccountControl.

Product Status

The following QNAP operating system versions have been affected:

• QTS 5.0.1
• QTS 5.0.0
• QTS 4.5.x/4.4.x
• QTS 4.3.x
• QTS 4.2.x (CVE-2022-32742 only, will not fix)
• QuTS hero h5.0.1
• QuTS hero h5.0.0
• QuTS hero h4.5.x
• QuTScloud c5.0.1

We have already fixed the vulnerabilities in the following versions:

• QTS 5.0.1.2131 build 20220820 and later
• QTS 5.0.0.2131 build 20220815 and later
• QTS 4.5.4.2138 build 20220824 and later
• QTS 4.3.6.2232 build 20221124 and later
• QTS 4.3.4.2242 build 20221124 and later
• QTS 4.3.3.2211 build 20221124 and later
• QuTS hero h5.0.0.2120 build 20220804 and later
• QuTS hero h4.5.4.2138 build 20220824 and later
• QuTScloud c5.0.1.2148 and later

Recommendation

To secure your QNAP NAS, we strongly recommend the following actions:

• Do not expose SMB service to the internet.
• Disable SMB 1.
• Do not expose your NAS to the internet.
• If you enabled myQNAPcloud, set up myQNAPcloud on the NAS to enable secure remote access.
• Update your operating system to the latest version.

Disabling SMB 1

1. Log on to QTS, QuTS hero or QuTScloud.
2. Go to Control Panel > Network & File > Win/Mac/NFS/WebDAV > Microsoft Networking.
3. Click Advanced Options.
   The Advanced Options window opens.
4. Next to Lowest SMB version, select SMB 2 or higher.
5. Click Apply.

Reducing Internet Exposure

1. Log in to your router.
2. Disable the UPnP and DMZ functions.
3. Disable all port forwarding rules.
4. Use a VPN to reduce exposure of NAS services to the internet. 
   For details, refer to this document.

Setting Up myQNAPcloud on the NAS 

1. Log on to QTS, QuTS hero, or QuTScloud as an administrator. 
2. Open myQNAPcloud. 
3. Disable UPnP port forwarding. 
   1. Go to Auto Router Configuration. 
   2. Deselect Enable UPnP Port forwarding. 
4. Enable DDNS. 
   1. Go to My DDNS.  
   2. Click the toggle button to enable My DDNS. 
5. Do not publish your NAS services. 
   1. Go to Published Services.  
   2. Deselect all items under Publish. 
   3. Click Apply. 
6. Configure myQNAPcloud Link to enable secure remote access to your NAS via a SmartURL. 
   1. Go to myQNAPcloud Link. 
   2. Click Install to install myQNAPcloud Link on your NAS. 
   3. Click the toggle button to enable myQNAPcloud Link. 
7. Restrict which users who can remotely access your NAS via the SmartURL. 
   1. Go to Access Control. 
   2. Next to Device access controls, select Private or Customized. 
      Note: Selecting Private allows only the QNAP ID logged in to myQNAPcloud to access the NAS via the SmartURL. Selecting Customized allows you to invite other QNAP ID accounts to access the device via the SmartURL. 
   3. If you selected Customized, click Add and specify a QNAP ID to invite the user. 
8. Obtain the SmartURL by going to Overview. 
   For questions on using myQNAPcloud, visit https://support.myqnapcloud.com/. 

Updating QTS, QuTS hero or QuTScloud

1. Log on to QTS, QuTS hero or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS, QuTS hero or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.