Table of Contents
  • Home
  • /
  • Blog
  • /
  • Three Critical Vulnerabilities Discovered in QNAP Products (PWN2OWN 2024)
November 7, 2024
|
6m

Three Critical Vulnerabilities Discovered in QNAP Products (PWN2OWN 2024)


Critical QNAP Vulnerabilities Exposed at PWN2OWN 2024

QNAP Systems, a leading manufacturer of Network Attached Storage (NAS) devices, has recently disclosed multiple critical vulnerabilities affecting various QNAP products during PWN2OWN 2024. These security flaws, tracked as CVE-2024-50388, CVE-2024-50389, and CVE-2024-50387, impact multiple QNAP services including HBS 3 Hybrid Backup Sync, QuRouter, and SMB Service respectively. The vulnerabilities were discovered by security researchers from Viettel Cyber Security and YingMuo working with DEVCORE Internship Program during the PWN2OWN 2024 event.

About QNAP Products

QNAP is a renowned provider of Network Attached Storage solutions, offering a comprehensive range of products designed for both home users and enterprises. Their product lineup includes NAS devices running QTS and QuTS hero operating systems, networking solutions like QuRouter, and various services such as HBS 3 Hybrid Backup Sync for data backup and SMB Service for file sharing. These solutions are known for their reliability, versatility, and robust feature sets that cater to diverse storage and networking needs.

Summary of the Vulnerabilities

The vulnerabilities discovered during PWN2OWN 2024 affect three critical QNAP services. Here's a detailed breakdown of each vulnerability:

CVE-2024-50388 (HBS 3 Vulnerability)

  • CVE ID: CVE-2024-50388

  • Description: Critical vulnerability affecting HBS 3 Hybrid Backup Sync

  • Affected Service: QNAP HBS 3 Hybrid Backup Sync

  • CVSS Score: Critical (Score not published)

  • CVSS Vector: Not available (at the time of publish)

  • Affected Versions: HBS 3 Hybrid Backup Sync 25.1.x

  • Fixed in: Version 25.1.1.673 and later

This critical vulnerability affects QNAP's HBS 3 Hybrid Backup Sync service, which is crucial for data backup and synchronization tasks. While the technical details haven't been disclosed, given its discovery at PWN2OWN 2024 and critical severity rating, it likely represents a significant security risk to backup operations.

CVE-2024-50389 (QuRouter Vulnerability)

  • CVE ID: CVE-2024-50389

  • Description: Critical vulnerability in QuRouter firmware

  • Affected Service: QNAP QuRouter

  • CVSS Score: Critical (Score not published)

  • CVSS Vector: Not available (at the time of publish)

  • Affected Versions: QuRouter 2.4.x

  • Fixed in: Version 2.4.5.032 and later

The vulnerability in QuRouter, QNAP's networking solution, could potentially compromise network security. Given QuRouter's role in managing network traffic and security, this vulnerability could have significant implications for network infrastructure security.

CVE-2024-50387 (SMB Service Vulnerability)

  • CVE ID: CVE-2024-50387

  • Description: Critical vulnerability in SMB Service

  • Affected Service: QNAP SMB Service

  • CVSS Score: Critical (Score not published)

  • CVSS Vector: Not available (at the time of publish)

  • Affected Versions: SMB Service 4.15.x and SMB Service h4.15.x

  • Fixed in: Version 4.15.002 and later (for both variants)

The vulnerability in SMB Service is particularly concerning as this service handles file sharing and network communications. SMB (Server Message Block) is a critical protocol used for file and printer sharing, and a vulnerability in this service could potentially lead to unauthorized access or compromise of shared resources.

All these vulnerabilities were discovered by professional security researchers during PWN2OWN 2024, with the SMB Service vulnerability specifically identified by YingMuo working with the DEVCORE Internship Program, and the others by Viettel Cyber Security. QNAP has responded promptly by releasing patches for all affected services.

Impact of the Vulnerabilities

These critical vulnerabilities could potentially allow attackers to compromise affected QNAP devices. While the exact technical details of the vulnerabilities have not been disclosed, given their critical severity rating and discovery during PWN2OWN 2024, they likely pose significant security risks to affected systems. Organizations and users running vulnerable versions of these QNAP services should treat these issues with high priority and apply the available patches as soon as possible.

Products Affected by the Vulnerabilities

The following products are affected by these vulnerabilities:

Product
Version
Fixed Release
HBS 3 Hybrid Backup Sync
25.1.x
Upgrade to 25.1.1.673 or later
QuRouter
2.4.x
Upgrade to 2.4.5.032 or later
SMB Service
4.15.x, h4.15.x
Upgrade to 4.15.002 or later

No mitigations are available for older versions other than upgrading to the patched versions. It is highly recommended that users update their devices immediately to mitigate the risk.

How to Fix the Vulnerabilities

To mitigate these vulnerabilities, follow the recommended steps:

  1. Apply the Patch: Update all affected applications to the latest patched versions as follows:

  2. HBS 3 Hybrid Backup Sync: Update to version 25.1.1.673 or later through the "App Center."

  3. QuRouter: Update to version 2.4.5.032 or later by navigating to "Firmware" in your QuRouter interface and selecting "Update now."

  4. SMB Service: Update to version 4.15.002 or later through the "App Center".

  5. Restrict Internet Access: Limit direct internet access to the affected QNAP services to prevent unauthorized exploitation. This includes disabling port forwarding on your router.

  6. Disable Unnecessary Services: If patching is not possible immediately, consider disabling the affected services until the update can be applied. This will reduce the risk of exploitation.

  7. Network Segmentation: Ensure that devices running vulnerable services are isolated from other parts of the network using VLANs or firewall rules to limit potential damage in case of a compromise.

  8. Monitor System Logs: Regularly review system logs for unusual activity. Enable intrusion detection and prevention systems to identify any unauthorized attempts to exploit these vulnerabilities.

Users are encouraged to stay vigilant and regularly visit QNAP’s security advisories page for the latest updates and guidelines.

We hope this post helps you understand the details of the critical vulnerabilities affecting QNAP products, including their technical details, potential impact, affected models, and most importantly, how to protect your QNAP devices from these vulnerabilities. Stay secure, stay updated, and continue to prioritize the safety of your network and data. Thank you for reading this post. Please share this article to help secure the digital world. Visit our website thesecmaster.com, and our social media page on FacebookLinkedInTwitterTelegramTumblrMedium, and Instagram and subscribe to receive updates like this.

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe