QNAP has launched safety patches for a second zero-day bug exploited by safety researchers throughout final week’s Pwn2Own hacking contest.
This crucial SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was present in QNAP’s SMB Service and is now mounted in variations 4.15.002 or later and h4.15.002 and later.
The zero-day flaw was patched one week after permitting YingMuo (working with the DEVCORE Internship Program) to get a root shell and take over a QNAP TS-464 NAS gadget at Pwn2Own Eire 2024.
On Tuesday, the corporate mounted one other zero-day in its HBS 3 Hybrid Backup Sync catastrophe restoration and knowledge backup answer, exploited by Viettel Cyber Security’s staff at Pwn2Own to execute arbitrary instructions and hack a TS-464 NAS gadget.
Group Viettel gained Pwn2Own Eire 2024 after 4 days of competitors, throughout which greater than $1 million in prizes have been awarded to hackers who demonstrated over 70 distinctive zero-day vulnerabilities.
Whereas QNAP patched each vulnerabilities inside per week, distributors often take their time to launch safety patches after the Pwn2Own contest, on condition that they’ve 90 days till Pattern Micro’s Zero Day Initiative releases particulars on bugs disclosed in the course of the contest.
To replace the software program in your NAS gadget, log in to QuTS hero or QTS as an administrator, go to the App Heart, seek for “SMB Service,” and click on “Update.” This button is not going to be accessible if the software program is already up-to-date.
Patching shortly is extremely really useful, as QNAP gadgets are in style targets for cybercriminals as a result of they’re generally used for backing up and storing delicate private recordsdata. This makes them straightforward targets for putting in information-stealing malware and the right leverage for forcing victims to pay a ransom to get again their knowledge.
As an illustration, in June 2020, QNAP warned of eCh0raix ransomware assaults, which exploited Picture Station app vulnerabilities to hack into and encrypt QNAP NAS gadgets.
QNAP additionally alerted clients in September 2020 of AgeLocker ransomware assaults concentrating on publicly uncovered NAS gadgets working older and susceptible Picture Station variations. In June 2021, eCh0raix (QNAPCrypt) returned with new assaults exploiting recognized vulnerabilities and brute-forcing NAS accounts utilizing weak passwords.
Different current assaults concentrating on QNAP gadgets embrace DeadBolt, Checkmate, and eCh0raix ransomware campaigns, which abused varied safety vulnerabilities to encrypt knowledge on Web-exposed NAS gadgets.
