QNAP has launched safety patches for a second zero-day bug exploited by safety researchers throughout final week’s Pwn2Own hacking contest.
This crucial SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, was present in QNAP’s SMB Service and is now mounted in variations 4.15.002 or later and h4.15.002 and later.
The zero-day flaw was patched one week after permitting YingMuo (working with the DEVCORE Internship Program) to get a root shell and take over a QNAP TS-464 NAS system at Pwn2Own Eire 2024.
On Tuesday, the corporate mounted one other zero-day in its HBS 3 Hybrid Backup Sync catastrophe restoration and information backup answer, exploited by Viettel Cyber Safety’s workforce at Pwn2Own to execute arbitrary instructions and hack a TS-464 NAS system.
Group Viettel received Pwn2Own Eire 2024 after 4 days of competitors, throughout which greater than $1 million in prizes had been awarded to hackers who demonstrated over 70 distinctive zero-day vulnerabilities.
Whereas QNAP patched each vulnerabilities inside per week, distributors often take their time to launch safety patches after the Pwn2Own contest, on condition that they’ve 90 days till Development Micro’s Zero Day Initiative releases particulars on bugs disclosed in the course of the contest.
To replace the software program in your NAS system, log in to QuTS hero or QTS as an administrator, go to the App Middle, seek for “SMB Service,” and click on “Replace.” This button won’t be obtainable if the software program is already up-to-date.
Patching shortly is extremely advisable, as QNAP gadgets are standard targets for cybercriminals as a result of they’re generally used for backing up and storing delicate private recordsdata. This makes them straightforward targets for putting in information-stealing malware and the proper leverage for forcing victims to pay a ransom to get again their information.
As an example, in June 2020, QNAP warned of eCh0raix ransomware assaults, which exploited Photograph Station app vulnerabilities to hack into and encrypt QNAP NAS gadgets.
QNAP additionally alerted clients in September 2020 of AgeLocker ransomware assaults concentrating on publicly uncovered NAS gadgets working older and weak Photograph Station variations. In June 2021, eCh0raix (QNAPCrypt) returned with new assaults exploiting recognized vulnerabilities and brute-forcing NAS accounts utilizing weak passwords.
Different current assaults concentrating on QNAP gadgets embody DeadBolt, Checkmate, and eCh0raix ransomware campaigns, which abused varied safety vulnerabilities to encrypt information on Web-exposed NAS gadgets.