Security News QNAP fixes NAS backup software zero-day exploited at Pwn2Own

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,681
Content source
https://www.bleepingcomputer.com/news/security/qnap-fixes-nas-backup-software-zero-day-exploited-at-pwn2own/
QNAP has fixed a critical zero-day vulnerability exploited by security researchers on Thursday to hack a TS-464 NAS device during the Pwn2Own Ireland 2024 competition.

Tracked as CVE-2024-50388, the security flaw is caused by an OS command injection weakness in HBS 3 Hybrid Backup Sync version 25.1.x, the company's disaster recovery and data backup solution.

"An OS command injection vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands," QNAP said in a Tuesday security advisory.

The company has addressed the security bug in HBS 3 Hybrid Backup Sync 25.1.1.673 and later.

To update HBS 3 on your NAS device, log in to QTS or QuTS hero as an administrator, open the App Center, and search for "HBS 3 Hybrid Backup Sync".

If an update is available, click "Update". However, the "Update" button will not be available if your HBS 3 Hybrid Backup Sync is already up-to-date.

The zero-day was patched five days after enabling Ha The Long and Ha Anh Hoang of Viettel Cyber Security to execute arbitrary code and gain admin privileges on the third day of Pwn2Own Ireland 2024.
Click to expand...
www.bleepingcomputer.com

QNAP fixes NAS backup software zero-day exploited at Pwn2Own

QNAP has fixed a critical zero-day vulnerability exploited by security researchers on Thursday to hack a TS-464 NAS device during the Pwn2Own Ireland 2024 competition.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: Andy Ful and Captain Awesome
Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
7,681
QNAP patches second zero-day exploited at Pwn2Own to get root
QNAP has released security patches for a second zero-day bug exploited by security researchers during last week's Pwn2Own hacking contest.

This critical SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was found in QNAP's SMB Service and is now fixed in versions 4.15.002 or later and h4.15.002 and later.

The zero-day flaw was patched one week after allowing YingMuo (working with the DEVCORE Internship Program) to get a root shell and take over a QNAP TS-464 NAS device at Pwn2Own Ireland 2024.
Click to expand...
To update the software on your NAS device, log in to QuTS hero or QTS as an administrator, go to the App Center, search for "SMB Service," and click "Update." This button will not be available if the software is already up-to-date.
Click to expand...
www.bleepingcomputer.com

QNAP patches second zero-day exploited at Pwn2Own to get root

QNAP has fixed a second zero-day vulnerability exploited at the Pwn2Own Ireland 2024 hacking contest to gain a root shell and take over a TS-464 NAS device.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
Reactions: Andy Ful

Similar threads

Gandalf_The_Grey
    • +Reputation
Security News Synology hurries out patches for zero-days exploited at Pwn2Own
Replies
0
Views
695
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
Security News QNAP adds NAS ransomware protection to latest QTS version
Replies
0
Views
1,633
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Gandalf_The_Grey
    • Like
    • +Reputation
Security News Microsoft December 2024 Patch Tuesday fixes 1 exploited zero-day, 71 flaws
Replies
2
Views
363
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top