QNAP has addressed a critical zero-day vulnerability in its HBS 3 Hybrid Backup Sync software, following its successful exploitation at the recent Pwn2Own Ireland 2024 competition.
The vulnerability, tracked as CVE-2024-50388 with a CVSS score of 7.8, allowed to execute arbitrary commands on a QNAP TS-464 NAS device, highlighting the potential for serious security breaches.
The exploit was showcased by Ha The Long and Ha Anh Hoang of Viettel Cyber Security (@vcslab), who leveraged an OS command injection flaw to compromise the NAS device. They earned $10,000 prize and 4 Master of Pwn points.
QNAP acknowledged and emphasized that it could allow remote attackers to gain unauthorized access and control of vulnerable systems and released HBS 3 Hybrid Backup Sync version 25.1.1.673, which effectively patches the flaw.
The update process is straightforward and can be completed within QTS or QuTS hero by following these steps:
- Log in as an administrator.
- Open App Center and click the search icon.
- Type “HBS 3 Hybrid Backup Sync” and press Enter.
- Click Update next to the HBS 3 Hybrid Backup Sync app.
- Confirm the update by clicking OK.
For more details refer to the blog
