Synology warns of critical Netatalk bugs in multiple products

Synology has warned customers that some of its network-attached storage (NAS) appliances are exposed to attacks exploiting multiple critical Netatalk vulnerabilities.

“Multiple vulnerabilities allow remote attackers to obtain sensitive information and possibly execute arbitrary code via a susceptible version of Synology DiskStation Manager (DSM) and Synology Router Manager (SRM),” Synology said.

Netatalk is an AFP (short for Apple Filing Protocol) open-source implementation that allows systems running *NIX/*BSD to act as AppleShare file servers (AFP) for macOS clients (i.e., to access files stored on Synology NAS devices).

The Netatalk development team addressed the security bugs in version 3.1.1, released on March 22, three months after the Pwn2Own 2021 hacking competition, where they were first disclosed and exploited.

QNAP also working on Netatalk patches

QNAP said the Netatalk vulnerabilities impact multiple QTS and QuTS hero operating system versions and QuTScloud, the company’s cloud-optimized NAS operating system.

Like Synology, QNAP has already released patches for one of the affected OS versions, with fixes already available for appliances running QTS 4.5.4.2012 build 20220419 and later.

“QNAP is thoroughly investigating the case. We will release security updates for all affected QNAP operating system versions and provide further information as soon as possible,” the NAS maker said.

“We recommend users to check back and install security updates as soon as they become available.”

Original Post: Synology warns of critical Netatalk bugs in multiple products