QNAP patches worrying NAS security flaw, so update now

3 weeks ago

An absurd image of a fastener against a integer background, denoting cybersecurity.

(Image Credit: TheDigitalArtist / Pixabay) (Image credit: Pixabay)

Top NAS device shaper QNAP has fixed a high-severity vulnerability which allowed threat actors to execute arbitrary commands connected target endpoints.

This zero-day flaw was described arsenic an OS bid injection weakness, plaguing nan company’s disaster betterment and information backup solution called HBS 3 Hybrid Backup Sync. Versions 25.1.x were said to beryllium vulnerable.

The bug is tracked arsenic CVE-2024-50388, and is yet to beryllium fixed a severity score.

"An OS bid injection vulnerability has been reported to impact HBS 3 Hybrid Backup Sync. If exploited, nan vulnerability could let distant attackers to execute arbitrary commands," nan institution said successful a follow-up information advisory.

Pwn2Own

If your statement is utilizing these devices, make judge to upgrade to nan latest type arsenic soon arsenic imaginable - to protect against imaginable compromise, make judge to get your HBS 3 Backup Sync to versions 25.1.1.673, aliases newer.

Updating tin beryllium done done nan NAS device, by logging into QTS aliases QuTS leader arsenic admin, navigating to nan App Center, navigating to “HBS 3 Hybrid Backup Sync”, and looking for nan “Update” button. If it’s not available, that intends nan instrumentality is up to date.

The vulnerability was first discovered during nan Pwn2Own Ireland 2024 hackathon, erstwhile 2 Viettel Cyber Security researchers, Ha The Long, and Ha Anh Hoang, utilized it to execute arbitrary codification and summation admin privileges connected a TS-464 NAS device. The squad ended up winning nan hackathon.

Sign up to nan TechRadar Pro newsletter to get each nan apical news, opinion, features and guidance your business needs to succeed!

QNAP is 1 of nan world’s astir celebrated manufacturers of NAS devices, and arsenic specified is simply a awesome target for cybercriminals. NAS devices are often utilized to shop delicate individual files which, if stolen, tin beryllium utilized arsenic leverage successful an extortion attempt. QNAP often releases patches to reside different vulnerabilities, and it would beryllium wise to support these instances updated astatine each times.

Via BleepingComputer

More from TechRadar Pro

QNAP warns its NAS devices are facing a captious information flaw — but a spot is available, truthful update now
We've tested the best NAS difficult drives around
These are nan best endpoint protection tools correct now

Sead is simply a seasoned freelance journalist based successful Sarajevo, Bosnia and Herzegovina. He writes astir IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, information breaches, laws and regulations). In his career, spanning much than a decade, he’s written for galore media outlets, including Al Jazeera Balkans. He’s besides held respective modules connected contented penning for Represent Communications.

Source Technology