QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:

• Out-of-Bounds Vulnerabilities in OpenSSL (ID: QSA-21-39)
• Out-of-Bounds Read Vulnerability in OpenSSL (ID: QSA-21-40)

Out-of-Bounds Vulnerabilities in OpenSSL Release date: August 30, 2021 Security ID: QSA-21-39 Severity: High CVE identifier: CVE-2021-3711 | CVE-2021-3712 Affected products: QNAP NAS running HBS 3 Summary Two out-of-bounds vulnerabilities in OpenSSL have been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync). If exploited, the vulnerabilities allow remote attackers to execute arbitrary code with the permissions of the user running the application. QNAP is thoroughly investigating the case. We will release security updates and provide further information as soon as possible. <<Learn more>>

Out-of-Bounds Read Vulnerability in OpenSSL Release date: August 30, 2021 Security ID: QSA-21-40 Severity: Medium CVE identifier: CVE-2021-3712 Affected products: QNAP NAS running QTS, QuTS hero, and QuTScloud Summary An out-of-bounds read vulnerability in OpenSSL has been reported to affect QNAP NAS running QTS, QuTS hero, and QuTScloud. If exploited, the vulnerability allows remote attackers to disclose memory data or execute a denial-of-service (DoS) attack. QNAP is thoroughly investigating the case. We will release security updates and provide further information as soon as possible. <<Learn more>>

If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/.