QNAP Releases System Updates to Fix Heartbleed OpenSSL Vulnerability
QNAP has announced firmware updates for Turbo NAS systems with vulnerability to the OpenSSL Heartbleed bug (CVE-2014-0160).
The operating systems vulnerable to Heartbleed are QTS versions 4.0 and 4.1. Versions 3.8 and earlier use a different version of OpenSSL and are not affected by the OpenSSL Heartbleed bug. As described on the Common Vulnerabilities and Exposures website, the OpenSSL 1.0.1 TLS and DTLS implementation, before 1.0.1g, does not properly process Heartbeat Extension packets which allow remote attackers to obtain sensitive information by reading private keys (aka the Heartbleed bug).
To obtain the system updates (QTS 4.0.7 and QTS 4.1.0 RC2) with recompiled OpenSSL, either download from here or have your Turbo NAS perform a live update via the QTS control panel.
Presently, most top websites like Google, Facebook, YouTube, Pinterest, and Wikipedia, are free of the Heartbleed vulnerability. However, some 20,000 websites are still susceptible. You can change your passwords at the websites mentioned in this list, if you haven't done so.