Top NAS device manufacturer QNAP has fixed a high-severity vulnerability which allowed threat actors to execute arbitrary commands on target endpoints.
This zero-day flaw was described as an OS command injection weakness, plaguing the company’s disaster recovery and data backup solution called HBS 3 Hybrid Backup Sync. Versions 25.1.x were said to be vulnerable.
The bug is tracked as CVE-2024-50388, and is yet to be given a severity score.
“An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands,” the company said in a follow-up security advisory.
Pwn2Own
If your organization is using these devices, make sure to upgrade to the latest version as soon as possible – to protect against potential compromise, make sure to get your HBS 3 Backup Sync to versions 25.1.1.673, or newer.
Updating can be done through the NAS device, by logging into QTS or QuTS hero as admin, navigating to the App Center, navigating to “HBS 3 Hybrid Backup Sync”, and looking for the “Update” button. If it’s not available, that means the tool is up to date.
The vulnerability was first discovered during the Pwn2Own Ireland 2024 hackathon, when two Viettel Cyber Security researchers, Ha The Long, and Ha Anh Hoang, used it to execute arbitrary code and gain admin privileges on a TS-464 NAS device. The team ended up winning the hackathon.
QNAP is one of the world’s most popular manufacturers of NAS devices, and as such is a major target for cybercriminals. NAS devices are often used to store sensitive personal files which, if stolen, can be used as leverage in an extortion attempt. QNAP often releases patches to address different vulnerabilities, and it would be wise to keep these instances updated at all times.
Via BleepingComputer
More from TechRadar Pro
- QNAP warns its NAS devices are facing a critical security flaw — but a patch is available, so update now
- We’ve tested the best NAS hard drives around
- These are the best endpoint protection tools right now