What is the critical vulnerability patched by QNAP in its SMB Service?

The critical vulnerability, tracked as CVE-2024-50387, is an SQL injection flaw in QNAP’s SMB Service that was discovered during the Pwn2Own Ireland 2024 event. It allowed researchers to gain root access on a QNAP TS-464 NAS device. QNAP addressed this vulnerability in SMB Service versions 4.15.002 and h4.15.002 or later.

Were any other vulnerabilities discovered in QNAP systems at Pwn2Own 2024?

Yes, another zero-day vulnerability was discovered in QNAP's HBS 3 Hybrid Backup Sync solution, which enabled arbitrary command execution on the TS-464 NAS device. This exploit was demonstrated by Viettel Cyber Security's team, contributing to their win at the Pwn2Own event.

Why is it important to update QNAP NAS systems following these discoveries?

QNAP NAS systems are often targeted in ransomware campaigns as they are commonly used for sensitive data storage and backups. Updating the systems with the latest patches helps protect against potential exploitation of these vulnerabilities.

How can users update their QNAP SMB Service to address the vulnerability?

Users can update their QNAP SMB Service by accessing the App Center, searching for 'SMB Service,' and installing the latest available updates. The critical patches are included in versions 4.15.002 and h4.15.002 or later.

What was the outcome of Pwn2Own Ireland 2024?

Pwn2Own Ireland 2024 awarded over $1 million to security researchers for exposing more than 70 unique zero-day vulnerabilities across multiple devices, including QNAP NAS systems. Viettel Cyber Security’s team won the event by successfully exploiting vulnerabilities, including one in QNAP’s HBS 3 Hybrid Backup Sync solution.

Advisory

QNAP patches critical SQLi flaw

published: Oct. 30, 2024

Take action: If you are running QNAP NAS devices, consider them vulnerable and start patching. Even if isolated from the internet, they can still be attacked since they are serving multiple users whose endpoints may be compromised.

Learn More

QNAP has issued patches for a critical SQL injection vulnerability discovered during the Pwn2Own Ireland 2024 event.

The flaw is tracked as CVE-2024-50387 (CVSS score not assigned) in QNAP's SMB Service allowed security researchers from YingMuo, associated with the DEVCORE Internship Program, to obtain root access on a QNAP TS-464 NAS device. Rated critical, the vulnerability was rapidly addressed in SMB Service versions 4.15.002 or later and h4.15.002 or later.

In addition to CVE-2024-50387, QNAP also fixed another zero-day vulnerability found in its HBS 3 Hybrid Backup Sync solution (CVE not assigned). This issue, exploited by Viettel Cyber Security’s team at the same Pwn2Own event, enabled arbitrary command execution on the same TS-464 NAS device model. Viettel’s successful exploit contributed to their overall win at Pwn2Own, where more than $1 million in awards were given for exposing over 70 unique zero-day vulnerabilities.

QNAP devices are high-value targets for ransomware campaigns, often used for sensitive data storage and backup. Users are strongly encouraged to update their NAS systems immediately by accessing the App Center, searching for "SMB Service," and installing available updates.

Read More
Google releases update for Chrome and Chromium browsers, …
Google Android Monthly Update patches actively exploited vulnerability
Mozilla patches multiple high severity flaws in Firefox …
Google releases Chrome security update, patches two high …
WhisperPair Flaw Enables Bluetooth Hijacking and Tracking