{"id":7421,"date":"2021-09-28T12:49:09","date_gmt":"2021-09-28T19:49:09","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=7421"},"modified":"2023-04-20T02:26:28","modified_gmt":"2023-04-20T09:26:28","slug":"critical-openssl-vulnerabilities-affecting-linux-and-nas-devices","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/critical-openssl-vulnerabilities-affecting-linux-and-nas-devices\/","title":{"rendered":"Critical OpenSSL Vulnerabilities affecting Linux and NAS devices"},"content":{"rendered":"

On August 24, 2021, Taiwan-based network-attached storage device manufacturer, Synology, reported<\/a> remote code execution (RCE) and denial of service (DoS) OpenSSL vulnerabilities that impacted its products. This news comes in the wake of eCh0raix ransomware attacks<\/a> on QNAP NAS devices between April and June 2021 and on Synology devices since 2019.<\/p>\n

Initially, it was unclear how many organizations and products would likely be affected by the flaws. However, soon after, tech giants including QNAP<\/a>, Alpine Linux<\/a>, Debian<\/a>, Red Hat<\/a>, SUSE<\/a>, and Ubuntu<\/a> issued security advisories to inform customers about the impact of the two vulnerabilities.<\/p>\n

Tracked as CVE-2021-3711<\/a> and CVE-2021-3712<\/a>, the OpenSSL vulnerabilities allow attackers to take over the flow of an application entirely by tricking it into thinking it has succeeded or failed to execute.<\/p>\n

Recent Developments<\/strong><\/h2>\n

New OpenSSL vulnerability<\/strong><\/h2>\n

On March 15, 2022, OpenSSL shipped patches for a high severity Denial of Service vulnerability that affects its software library. Dubbed as CVE-2022-0778<\/a> with a CVSS v3 score of 7.5. The flaw affects OpenSSL versions 1.0.2, 1.1.1, and 3.0; was fixed in the released versions of 1.0.2zd (for premium support customers), 1.1.1n, and 3.0.2. Although OpenSSL 1.1.0 is vulnerable, it will not be patched since it is has reached the end of life. While this vulnerability can be definitely weaponized, NSA<\/a> urges users to patch this vulnerability immediately.<\/p>\n

Our Findings<\/strong><\/h2>\n

CSW researchers studied the OpenSSL vulnerabilities and their impact. Here is our analysis:<\/strong><\/p>\n

CVE-2021-3711<\/strong><\/p>\n