October 29, 2024 at 01:37PM
QNAP addressed a critical zero-day vulnerability (CVE-2024-50388) in HBS 3 Hybrid Backup Sync, exploited at Pwn2Own Ireland 2024. The patch is available in version 25.1.1.673 and later. This follows a history of security challenges for QNAP devices, often targeted by ransomware gangs due to sensitive file storage.
### Meeting Takeaways:
1. **Critical Vulnerability Identified**: QNAP fixed a critical zero-day vulnerability (CVE-2024-50388) affecting their HBS 3 Hybrid Backup Sync software during the Pwn2Own Ireland 2024 competition.
2. **Nature of the Flaw**: The vulnerability is an OS command injection issue present in HBS 3 version 25.1.x, which enables remote attackers to execute arbitrary commands.
3. **Patch Availability**: The security issue has been addressed in version 25.1.1.673 and later of HBS 3. Users are advised to check for updates in the App Center on their NAS devices.
4. **Recent Exploitation**: The vulnerability was utilized by Viettel Cyber Security during the Pwn2Own competition to gain administrative privileges on a QNAP TS-464 NAS device.
5. **Timely Response**: QNAP issued the patch just five days after the issue was demonstrated at the competition, which is notably quicker than the customary 90-day grace period vendors typically utilize for patch releases.
6. **Historical Context**: This is not the first concern regarding QNAP security. The company had previously addressed vulnerabilities, including a backdoor account issue (CVE-2021-28799) and an SQL injection vulnerability (CVE-2020-36195) which were exploited in ransomware attacks.
7. **Ongoing Ransomware Threats**: QNAP devices remain prime targets for ransomware groups due to their storage of sensitive data, with prior incidents involving eCh0raix and AgeLocker ransomware exploiting known vulnerabilities.
8. **Competition Results**: Team Viettel won Pwn2Own Ireland 2024, earning part of over $1 million awarded for disclosing various zero-day vulnerabilities.
### Action Items:
– **For QNAP Users**: Ensure HBS 3 is updated to the latest version to mitigate any risk associated with the vulnerability.
– **For Security Teams**: Monitor for any further updates or advisories from QNAP regarding security vulnerabilities in their products.