Numerous Security Fixes Implemented for SAMBA, Kernel and Various Plugins in ASUSTOR's Security Investigation

[btarunr]

In order to strengthen the implementation of protection from malware attacks, ASUSTOR continuously upgrades ADM system in order to bring security and safety to users. ASUSTOR recognizes the spread of malware is an increasingly large problem for data security and ransomware resembling Deadbolt is a wakeup call for customers and providers. In light of this, ASUSTOR will increase its commitment to identify and patch potential vulnerabilities with consistent updates to be ahead of threats to data.

The latest version of ADM updates Samba, Linux packages and Linux kernel to strengthen ADM's security for the best customer experience. In addition to updating ADM to fix OS vulnerabilities, third party portions of the OS have been updated for greater security. While these security updates help keep ADM more secure than it has ever been, making 3-2-1-compliant backups is the only way to ensure data is secure from most practical risks.



New security updates for ADM:

• Updated SAMBA to fix the following vulnerabilities: CVE-2022-32742, CVE-2022-2031, CVE-2022-32744, CVE-2022-32745, CVE-2022-32746.
• Fixed the following Linux kernel vulnerabilities: CVE-2019-18282, CVE-2019-19527, CVE-2019-19532, CVE-2019-19537, CVE-2020-12770, CVE-2021-0605, CVE-2021-20317, CVE-2021-20321, CVE-2021-29154, CVE-2021-29650, CVE-2021-34556, CVE-2021-35477, CVE-2021-3732, CVE-2021-3753, CVE-2021-39633, CVE-2021-39698, CVE-2021-4149, CVE-2021-4203, CVE-2021-45868, CVE-2022-0185, CVE-2022-0330, CVE-2022-0617, CVE-2022-1011, CVE-2022-1048, CVE-2022-1055, CVE-2022-1353, CVE-2022-20008, CVE-2022-27666, CVE-2022-28893, CVE-2022-29582.
• Updated GnuTLS to fix the following vulnerabilities: CVE-2020-24659, CVE-2021-20231, CVE-2021-20232.
• Updated Nettle to fix the following vulnerabilities: CVE-2021-3580, CVE-2021-20305.
• Updated Avahi to fix the following vulnerabilities: CVE-2021-3502, CVE-2021-3468.

View at TechPowerUp Main Site

 

[ymdhis]

What they need to fix is the lack of ability to use a drive without formatting it first. This makes their devices completely unusable.

 

[bug]

I don't get it. Did they just discover apt update/dnf upgrade? Or they had that, but their repos just lagged behind?

 

[TheLostSwede]

I don't get it. Did they just discover apt update/dnf upgrade? Or they had that, but their repos just lagged behind?

The issue is that these pre-built NAS devices run custom operating systems that often use older kernels and older software versions, which requires custom software patches. Sometimes it takes these companies a few months to issue updates, which is far from ideal.

 

[bug]

The issue is that these pre-built NAS devices run custom operating systems that often use older kernels and older software versions, which requires custom software patches. Sometimes it takes these companies a few months to issue updates, which is far from ideal.

Let's be honest, they're running Linux. Sure, there's a custom WebUI and custom services on top. Neither should stop them from patching the underlying OS promptly.

 

[TheLostSwede]

Let's be honest, they're running Linux. Sure, there's a custom WebUI and custom services on top. Neither should stop them from patching the underlying OS promptly.

Sure, but when you're using an unsupported kernel and five year old versions of Samba... Then you end up having to do a lot of extra work to patch your software.
Not trying to defend these companies, simply informing about how they operate.
Have a look at QNAP's FreeBSD based software. My friend was one of the main engineers on that project, he quit, because they wouldn't listen to him and decided to use an old OS that they now have to backport everything to. It's a disaster.

 

[bug]

Sure, but when you're using an unsupported kernel and five year old versions of Samba... Then you end up having to do a lot of extra work to patch your software.
Not trying to defend these companies, simply informing about how they operate.
Have a look at QNAP's FreeBSD based software. My friend was one of the main engineers on that project, he quit, because they wouldn't listen to him and decided to use an old OS that they now have to backport everything to. It's a disaster.

Oh, I know that very well.
That what I was hinting at in my initial post: Asus haven't suddenly discovered a security miracle, they simply stopped slacking off and did something they should be doing every day.

This isn't even something specific to routers. Any smart device suffers from software neglect, most of the time way worse than your router. I've even read a suggestion to place all "smart" devices on your guest network to give yourself and extra layer of isolation from crappy and exploitable software.

As for companies adamantly insisting on doing the wrong thing because "reasons"... I'm all too familiar with that.

 

[mechtech]

Ok. I’m a bit lost.

Is this asustor pushing out firmware with an updated Samba??
Or
Is this Samba putting out the latest or updated version for everyone to use?

 

[windwhirl]

Ok. I’m a bit lost.

Is this asustor pushing out firmware with an updated Samba??
Or
Is this Samba putting out the latest or updated version for everyone to use?

The first thing. Though not sure I'd call it firmware, but I suppose it works anyway

 

[fibre]

So nice from them to fix CVEs not only from 2022, but 2021 and 2020 too. I thought these boxes have regular updates.

 

[bug]

So nice from them to fix CVEs not only from 2022, but 2021 and 2020 too. I thought these boxes have regular updates.

They're regular alright. It's just that the cadence is "whenever they can be bothered".

Like @TheLostSwede said above, manufacturers use (unnecessarily) customized software, which is hard to maintain. And the further they fall back, the harder it becomes to port various fixes. Add to that people that may leave the project over time and you can start to understand why maintenance is such a nightmare, nobody wants to do it.