What recent vulnerability did QNAP fix?

QNAP recently patched a critical zero-day vulnerability, CVE-2024-50388, which was discovered by Team Viettel during the Pwn2Own Ireland 2024 competition. The vulnerability is an OS command injection flaw in QNAP’s HBS 3 Hybrid Backup Sync, allowing potential remote command execution.

What is CVE-2024-50388, and how does it impact QNAP devices?

CVE-2024-50388 is an OS command injection vulnerability in QNAP’s HBS 3 Hybrid Backup Sync (version 25.1.x). If exploited, it allows remote attackers to execute arbitrary commands on affected NAS devices, potentially leading to unauthorized administrative control over the system.

How quickly did QNAP respond to CVE-2024-50388 after its discovery?

QNAP issued a patch on October 29, 2024, just five days after the vulnerability was demonstrated at Pwn2Own 2024. The fix is included in HBS 3 Hybrid Backup Sync version 25.1.1.673 and later.

How can users update HBS 3 Hybrid Backup Sync to secure their QNAP NAS devices?

To update HBS 3, users should log in to QTS or QuTS hero as an administrator, open the App Center, search for 'HBS 3 Hybrid Backup Sync,' and select 'Update' if an update is available. This will install version 25.1.1.673 or later, which includes the security patch for CVE-2024-50388.

Why are QNAP devices often targeted in ransomware attacks?

QNAP devices are frequent targets for ransomware due to their use in storing sensitive personal and business data. Attackers exploit vulnerabilities to encrypt stored data and demand ransom for decryption, leveraging the critical nature of the data stored on these NAS devices.

What competition showcased the vulnerability in QNAP’s HBS 3 Hybrid Backup Sync?

The vulnerability CVE-2024-50388 was demonstrated by Team Viettel from Viettel Cyber Security at the Pwn2Own Ireland 2024 competition, held from October 22-25. The team used the exploit to gain administrative control over a QNAP TS-464 NAS device, ultimately winning the event.

Advisory

QNAP fixes a critical zero-day flaw in HBS 3 Hybrid Backup Sync discovered during Pwn2Own

published: Nov. 6, 2024

Take action: If you are running QNAP HBS 3 Hybrid Backup Sync solution, patch ASAP. The exploit was demonstrated live, so the cat is out of the bag. You will be targeted.

Learn More

QNAP has fixed a critical zero-day vulnerability, which was exploited by security researchers during the Pwn2Own Ireland 2024 competition. At the Pwn2Own event, held from October 22-25, Team Viettel from Viettel Cyber Security leveraged CVE-2024-50388 to gain administrative control over a QNAP TS-464 NAS device, ultimately winning the competition. V

The flaw is tracked as CVE-2024-50388 (CVSS score not available, QNAP ranks as Critical) is an OS command injection vulnerability and affects HBS 3 Hybrid Backup Sync (version 25.1.x) — QNAP’s disaster recovery and backup solution. If exploited, it could allow remote attackers to execute arbitrary commands on affected NAS devices.

QNAP patched this vulnerability on October 29, 2024, within five days of its demonstration at Pwn2Own. The fix is included in HBS 3 Hybrid Backup Sync version 25.1.1.673 and later. To update HBS 3:

Log in to QTS or QuTS hero as an administrator.
Open the App Center and search for "HBS 3 Hybrid Backup Sync."
If an update is available, select "Update" to install it.

QNAP devices have been frequent targets for ransomware attacks due to their storage of sensitive personal data, which attackers use to demand ransom for file decryption.

QNAP fixes a critical zero-day flaw in HBS 3 Hybrid Backup Sync discovered during Pwn2Own

Read More
CISA reports active explotation of WatchGuard Firebox vulnerability
BeyondTrust reports critical vulnerability in it's appliances
Critical Remote Code execution vulnerability reported in BentoML
Critical Zero Day vulnerabilities in Atera Windows Installers …
Atlassian fixes multiple critical vulnerabilities in their products