QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

LovabledanielsJanuary 24, 202585 Views

QNAP said it addressed six flaws in its Hybrid Backup Sync tool
The flaws stemmed from rsync, an open-source file syncing tool
Users are advised to update their HBS immediately

QNAP has addressed half a dozen vulnerabilities affecting its Hybrid Backup Sync (HBS) software.

In a security advisory, the company noted the vulnerabilities were discovered in rsync, an open source file synchronization tool used to transfer and sync files between systems. It supports local and remote operations via SSH, and minimizes data transfer with incremental updates. Many backup solutions use rsync, including Duplicity, Bacula, Rclone, and others.

HBS is a data backup and disaster recovery solution that supports local, remote, and cloud storage services.

Arbitrary code execution

The bugs are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088, and affect HBS 3 Hybrid Backup Sync 25.1.x. QNAP said they could have been used to run malicious code remotely against unpatched Network Attached Storage (NAS) endpoints. Apparently, threat actors would only need anonymous read access to vulnerable servers, in order to exploit the flaws.

“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running,” CERT/CC said when rsync 3.4.0 was released. “The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client.”

To secure their systems, administrators are advised to update their HBS 3 Hybrid Backup Sync to version 25.1.4.952, by logging into QTS or QuTS hero as an admin, opening App Center and searching for HBS 3 Hybrid Backup Sync, and clicking on the Update button.

According to BleepingComputer, there are currently more than 700,000 IP addresses with exposed rsync servers, but it’s difficult to determine how many can be exploited.

Via BleepingComputer

Weekly update

Quordle hints and answers for Saturday, June 21 (game #1244)

NYT Strands hints and answers for Saturday, June 21 (game #475)

7 new movies and TV shows to stream on Netflix, Prime Video, Max, and more this weekend (June 20)

Weekly Newsletter

QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

Leave a comment

Leave a Reply Cancel reply

Explore more

NYT Strands hints and answers for Saturday, June 21 (game #475)

7 new movies and TV shows to stream on Netflix, Prime Video, Max, and more this weekend (June 20)

Three-mode smart window cut indoor temperature by 27°C and eliminate urban glare

Iran, Israel trade air attacks as conflict enters second week | Israel-Iran conflict News

Forget Chrome and Edge – this challenger browser now offers greater protection from online scams

NASA aircraft to make low-altitude flights in mid-Atlantic, California

This breakthrough battery tech could help EVs break the 1,000-mile range barrier – and give them a 190-mile boost in under four minutes

Tech support scammers are forcing their fake phone numbers into real webpages

Get to Know Us

Let's keep in touch