QNAP has taken decisive action to address a critical zero-day vulnerability tracked as CVE-2024-50388, which was exploited during the Pwn2Own Ireland 2024 competition. This vulnerability, caused by an OS command injection flaw in the HBS 3 Hybrid Backup Sync version 25.1.x, allows remote attackers to execute arbitrary commands on compromised NAS devices. The discovery of this security flaw occurred when researchers from Viettel Cyber Security successfully hacked a TS-464 NAS device, highlighting the ongoing security challenges faced by QNAP products in a landscape rife with cyber threats.
In response to this critical issue, QNAP has released a security patch in version 25.1.1.673 of the HBS 3 Hybrid Backup Sync software. Users are strongly encouraged to update their systems to the latest version to safeguard against potential exploits. To facilitate this process, QNAP has outlined a straightforward update procedure: administrators can log into QTS or QuTS hero, navigate to the App Center, and check for updates. If the “Update” button appears, users should click it to ensure they are protected against the vulnerability.
The quick patch release, occurring just five days after the vulnerability was demonstrated at Pwn2Own, is a notable departure from the typical timeline where vendors often take longer to address security flaws disclosed during such competitions. Traditionally, vendors have a 90-day window before detailed information about the vulnerabilities is published by Trend Micro’s Zero Day Initiative. However, QNAP’s proactive stance reflects a commitment to security and user safety, particularly given the high stakes associated with NAS devices, which often store sensitive personal and business data.
QNAP’s devices have been prime targets for ransomware attacks in the past, and this recent incident underscores the critical need for robust security measures. The company has a history of addressing vulnerabilities, as seen in 2021 when it removed a backdoor account from its Hybrid Backup Sync solution. With the increasing sophistication of cyberattacks, QNAP’s rapid response to this zero-day vulnerability serves as a reminder of the importance of timely software updates in protecting against evolving threats in the cybersecurity landscape.
Reference:
