QNAP patches second zero-day exploited at Pwn2Own to get root

QNAP patches second zero-day exploited at Pwn2Own to get root

October 30, 2024 at 01:43PM

QNAP released security patches for two critical zero-day vulnerabilities, CVE-2024-50387 and another in HBS 3 Hybrid Backup Sync, exploited during Pwn2Own 2024. These patches were issued quickly, highlighting QNAP devices’ susceptibility to cyberattacks. Users are urged to update their software promptly to protect sensitive data.

### Meeting Takeaways

1. **Recent Security Releases by QNAP**:
– QNAP has issued security patches for two zero-day vulnerabilities identified at the Pwn2Own 2024 hacking contest.

2. **Critical SQL Injection Vulnerability**:
– The SQL injection vulnerability, CVE-2024-50387, was found in QNAP’s SMB Service.
– Fixed in versions 4.15.002 and h4.15.002 or later.

3. **Details of Pwn2Own Incident**:
– YingMuo, from the DEVCORE Internship Program, successfully exploited the zero-day to gain root access to a QNAP TS-464 NAS device.

4. **HBS 3 Hybrid Backup Sync Vulnerability**:
– Another zero-day vulnerability was patched in the HBS 3 Hybrid Backup Sync solution, exploited by Viettel Cyber Security’s team during the contest.

5. **Competition Outcome**:
– Team Viettel won Pwn2Own Ireland 2024, showcasing over 70 unique zero-day vulnerabilities and earning more than $1 million in prizes.

6. **Patching Timeline**:
– QNAP’s prompt response to patch both vulnerabilities within a week is notable, as most vendors typically take longer due to the 90-day window before details are released by Trend Micro’s Zero Day Initiative.

7. **Updating QNAP Devices**:
– To update software, users must log in to QuTS hero or QTS as administrators, navigate to the App Center, search for “SMB Service,” and click “Update.”

8. **Importance of Quick Patching**:
– QNAP devices are frequent targets for cybercriminals, emphasizing the necessity for users to patch vulnerabilities quickly to protect sensitive personal data from ransomware attacks.

9. **Historical Cyber Threats**:
– QNAP has faced several ransomware threats in the past, including eCh0raix and AgeLocker, with vulnerabilities in applications like Photo Station being exploited.

10. **Current Threat Landscape**:
– Other ongoing ransomware campaigns targeting QNAP devices include DeadBolt and Checkmate, exploiting a range of security vulnerabilities.

### Recommendations:
– Update NAS devices immediately to safeguard against new vulnerabilities.
– Monitor QNAP’s security announcements and apply patches as they are released.

Full Article