QNAP Systems, a leading manufacturer of Network Attached Storage (NAS) devices, has recently disclosed multiple critical vulnerabilities affecting various QNAP products during PWN2OWN 2024. These security flaws, tracked as CVE-2024-50388, CVE-2024-50389, and CVE-2024-50387, impact multiple QNAP services including HBS 3 Hybrid Backup Sync, QuRouter, and SMB Service respectively. The vulnerabilities were discovered by security researchers from Viettel Cyber Security and YingMuo working with DEVCORE Internship Program during the PWN2OWN 2024 event.
QNAP is a renowned provider of Network Attached Storage solutions, offering a comprehensive range of products designed for both home users and enterprises. Their product lineup includes NAS devices running QTS and QuTS hero operating systems, networking solutions like QuRouter, and various services such as HBS 3 Hybrid Backup Sync for data backup and SMB Service for file sharing. These solutions are known for their reliability, versatility, and robust feature sets that cater to diverse storage and networking needs.
The vulnerabilities discovered during PWN2OWN 2024 affect three critical QNAP services. Here's a detailed breakdown of each vulnerability:
CVE ID: CVE-2024-50388
Description: Critical vulnerability affecting HBS 3 Hybrid Backup Sync
Affected Service: QNAP HBS 3 Hybrid Backup Sync
CVSS Score: Critical (Score not published)
CVSS Vector: Not available (at the time of publish)
Affected Versions: HBS 3 Hybrid Backup Sync 25.1.x
Fixed in: Version 25.1.1.673 and later
This critical vulnerability affects QNAP's HBS 3 Hybrid Backup Sync service, which is crucial for data backup and synchronization tasks. While the technical details haven't been disclosed, given its discovery at PWN2OWN 2024 and critical severity rating, it likely represents a significant security risk to backup operations.
CVE ID: CVE-2024-50389
Description: Critical vulnerability in QuRouter firmware
Affected Service: QNAP QuRouter
CVSS Score: Critical (Score not published)
CVSS Vector: Not available (at the time of publish)
Affected Versions: QuRouter 2.4.x
Fixed in: Version 2.4.5.032 and later
The vulnerability in QuRouter, QNAP's networking solution, could potentially compromise network security. Given QuRouter's role in managing network traffic and security, this vulnerability could have significant implications for network infrastructure security.
CVE ID: CVE-2024-50387
Description: Critical vulnerability in SMB Service
Affected Service: QNAP SMB Service
CVSS Score: Critical (Score not published)
CVSS Vector: Not available (at the time of publish)
Affected Versions: SMB Service 4.15.x and SMB Service h4.15.x
Fixed in: Version 4.15.002 and later (for both variants)
The vulnerability in SMB Service is particularly concerning as this service handles file sharing and network communications. SMB (Server Message Block) is a critical protocol used for file and printer sharing, and a vulnerability in this service could potentially lead to unauthorized access or compromise of shared resources.
All these vulnerabilities were discovered by professional security researchers during PWN2OWN 2024, with the SMB Service vulnerability specifically identified by YingMuo working with the DEVCORE Internship Program, and the others by Viettel Cyber Security. QNAP has responded promptly by releasing patches for all affected services.
These critical vulnerabilities could potentially allow attackers to compromise affected QNAP devices. While the exact technical details of the vulnerabilities have not been disclosed, given their critical severity rating and discovery during PWN2OWN 2024, they likely pose significant security risks to affected systems. Organizations and users running vulnerable versions of these QNAP services should treat these issues with high priority and apply the available patches as soon as possible.
Products Affected by the Vulnerabilities
The following products are affected by these vulnerabilities:
Product
|
Version
|
Fixed Release
|
---|---|---|
HBS 3 Hybrid Backup Sync
|
25.1.x
|
Upgrade to 25.1.1.673 or later
|
QuRouter
|
2.4.x
|
Upgrade to 2.4.5.032 or later
|
SMB Service
|
4.15.x, h4.15.x
|
Upgrade to 4.15.002 or later
|
No mitigations are available for older versions other than upgrading to the patched versions. It is highly recommended that users update their devices immediately to mitigate the risk.
To mitigate these vulnerabilities, follow the recommended steps:
Apply the Patch: Update all affected applications to the latest patched versions as follows:
HBS 3 Hybrid Backup Sync: Update to version 25.1.1.673 or later through the "App Center."
QuRouter: Update to version 2.4.5.032 or later by navigating to "Firmware" in your QuRouter interface and selecting "Update now."
SMB Service: Update to version 4.15.002 or later through the "App Center".
Restrict Internet Access: Limit direct internet access to the affected QNAP services to prevent unauthorized exploitation. This includes disabling port forwarding on your router.
Disable Unnecessary Services: If patching is not possible immediately, consider disabling the affected services until the update can be applied. This will reduce the risk of exploitation.
Network Segmentation: Ensure that devices running vulnerable services are isolated from other parts of the network using VLANs or firewall rules to limit potential damage in case of a compromise.
Monitor System Logs: Regularly review system logs for unusual activity. Enable intrusion detection and prevention systems to identify any unauthorized attempts to exploit these vulnerabilities.
Users are encouraged to stay vigilant and regularly visit QNAP’s security advisories page for the latest updates and guidelines.
We hope this post helps you understand the details of the critical vulnerabilities affecting QNAP products, including their technical details, potential impact, affected models, and most importantly, how to protect your QNAP devices from these vulnerabilities. Stay secure, stay updated, and continue to prioritize the safety of your network and data. Thank you for reading this post. Please share this article to help secure the digital world. Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.
You may also like these articles:
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”
"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.
BurpGPT is a cutting-edge Burp Suite extension that harnesses the power of OpenAI's language models to revolutionize web application security testing. With customizable prompts and advanced AI capabilities, BurpGPT enables security professionals to uncover bespoke vulnerabilities, streamline assessments, and stay ahead of evolving threats.
PentestGPT, developed by Gelei Deng and team, revolutionizes penetration testing by harnessing AI power. Leveraging OpenAI's GPT-4, it automates and streamlines the process, making it efficient and accessible. With advanced features and interactive guidance, PentestGPT empowers testers to identify vulnerabilities effectively, representing a significant leap in cybersecurity.
Tenable BurpGPT is a powerful Burp Suite extension that leverages OpenAI's advanced language models to analyze HTTP traffic and identify potential security risks. By automating vulnerability detection and providing AI-generated insights, BurpGPT dramatically reduces manual testing efforts for security researchers, developers, and pentesters.
Microsoft Security Copilot is a revolutionary AI-powered security solution that empowers cybersecurity professionals to identify and address potential breaches effectively. By harnessing advanced technologies like OpenAI's GPT-4 and Microsoft's extensive threat intelligence, Security Copilot streamlines threat detection and response, enabling defenders to operate at machine speed and scale.