Subj : QNAP patches worrying NAS security flaw, so update now
To   : All
From : TechnologyDaily
Date : Wed Oct 30 2024 15:15:05

QNAP patches worrying NAS security flaw, so update now

Date:
Wed, 30 Oct 2024 15:10:00 +0000

Description:
QNAP device flaw discovered during recent hackaton.

FULL STORY
======================================================================

Top NAS device manufacturer QNAP has fixed a high-severity vulnerability 
which allowed threat actors to execute arbitrary commands on target 
endpoints. 

This zero-day flaw was described as an OS command injection weakness, 
plaguing the companys disaster recovery and data backup solution called HBS 3 
Hybrid Backup Sync. Versions 25.1.x were said to be vulnerable. 

The bug is tracked as CVE-2024-50388, and is yet to be given a severity 
score. 

"An OS command injection vulnerability has been reported to affect HBS 3 
Hybrid Backup Sync. If exploited, the vulnerability could allow remote 
attackers to execute arbitrary commands," the company said in a follow-up 
security advisory. Pwn2Own 

If your organization is using these devices, make sure to upgrade to the 
latest version as soon as possible - to protect against potential compromise, 
make sure to get your HBS 3 Backup Sync to versions 25.1.1.673, or newer. 

Updating can be done through the NAS device, by logging into QTS or QuTS hero 
as admin, navigating to the App Center, navigating to HBS 3 Hybrid Backup 
Sync, and looking for the Update button. If its not available, that means the 
tool is up to date. 

The vulnerability was first discovered during the Pwn2Own Ireland 2024 
hackathon, when two Viettel Cyber Security researchers, Ha The Long, and Ha 
Anh Hoang, used it to execute arbitrary code and gain admin privileges on a 
TS-464 NAS device. The team ended up winning the hackathon. 

QNAP is one of the worlds most popular manufacturers of NAS devices, and as 
such is a major target for cybercriminals. NAS devices are often used to 
store sensitive personal files which, if stolen, can be used as leverage in 
an extortion attempt. QNAP often releases patches to address different 
vulnerabilities, and it would be wise to keep these instances updated at all 
times. 

 Via BleepingComputer More from TechRadar Pro QNAP warns its NAS devices are 
facing a critical security flaw  but a patch is available, so update now 
We've tested the best NAS hard drives around These are the best endpoint 
protection tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/qnap-patches-worrying-nas-security-flaw
-so-update-now


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.