QNAP urges its customers to disable the AFP file protocol, which allows macOS systems to access data on the NAS, on the NAS appliances until the Netatalk vulnerabilities are fixed. Netatalk, an implementation of AFP, allows systems to act as an AppleShare file server for macOS clients. Without AFP, macOS systems will not be able to access data on the NAS.
Multiple vulnerabilities with 9.8 severity ratings
The Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software with the release of Netatalk 3.1.13: CVE-2021-31439, CVE-2022-23121, CVE-2022-23123, CVE-2022-23122, CVE-2022-23125, CVE-2022-23124, and CVE-2022-0194. QNAP operating system versions affected by these vulnerabilities are:
- QTS 5.0.x and later
- QTS 4.5.4 and later
- QTS 4.3.6 and later
- QTS 4.3.4 and later
- QTS 4.3.3 and later
- QTS 4.2.6 and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.4 and later
- QuTScloud c5.0.x
The vulnerabilities affecting QTS 4.5.4.2012 build 20220419 and later are already fixed. QNAP stated that they are investigating the case and they will release security updates for all affected QNAP operating system versions and provide further information as soon as possible.
To mitigate the vulnerabilities, QNAP asked users to disable AFP and install the security updates as soon as they become available. AFP can be disabled by selecting Disable AFP under the Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Apple Networking menu of QTS or QuTS hero NAS device.