On 22nd of March 2022 the Netatalk team at Sourceforge announced Netatalk 3.1.13 with a new feature and several security updates. Version 3.0 of Netatalk was released in July 2012. Netatalk is a free, open-source implementation of AFP that allows the Unix-like operating systems (that frequently power NAS devices) to serve as a file server for macOS systems. Many types of NAS devices support AFP so that macOS systems can access the data on them.
In real life this usually means they are used as an external hard-drive that can be accessed over an intranet or the Internet.ĪFP is a proprietary network protocol, and part of the Apple File Service (AFS), that offers file services for macOS and the classic Mac OS. AFP and NetatalkĪ NAS device is a storage server connected to a computer network, storing data that can be accessed by a wide variety of devices, including Windows, macOS, and other systems. Given the severity of the vulnerabilities, keep an eye for updates. build 20220419 and later, but it is still working to release security updates for all affected QNAP operating system versions. In a security advisory, QNAP says it has fixed the Netatalk vulnerabilities for QTS 4.
All of them are remote code execution (RCE) vulnerabilities, and all of them have a CVSS severity score of 9.8 out of 10. Taiwanese corporation QNAP has asked customers to disable the AFP file service protocol on its NAS appliances while it creates fixes for multiple, critical Netatalk vulnerabilities. Others have already done so, or have taken more drastic measures. But QNAP is not the only vendor that needed to fix these vulnerabilities. MacOS users that have a network-attached storage (NAS) device made by QNAP are being advised to disable the Apple Filing Protocol (AFP) on their devices until some severe vulnerabilities have been fixed.