QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

LovabledanielsJanuary 24, 202576 Views

QNAP said it addressed six flaws in its Hybrid Backup Sync tool
The flaws stemmed from rsync, an open-source file syncing tool
Users are advised to update their HBS immediately

QNAP has addressed half a dozen vulnerabilities affecting its Hybrid Backup Sync (HBS) software.

In a security advisory, the company noted the vulnerabilities were discovered in rsync, an open source file synchronization tool used to transfer and sync files between systems. It supports local and remote operations via SSH, and minimizes data transfer with incremental updates. Many backup solutions use rsync, including Duplicity, Bacula, Rclone, and others.

HBS is a data backup and disaster recovery solution that supports local, remote, and cloud storage services.

Arbitrary code execution

The bugs are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088, and affect HBS 3 Hybrid Backup Sync 25.1.x. QNAP said they could have been used to run malicious code remotely against unpatched Network Attached Storage (NAS) endpoints. Apparently, threat actors would only need anonymous read access to vulnerable servers, in order to exploit the flaws.

“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running,” CERT/CC said when rsync 3.4.0 was released. “The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client.”

To secure their systems, administrators are advised to update their HBS 3 Hybrid Backup Sync to version 25.1.4.952, by logging into QTS or QuTS hero as an admin, opening App Center and searching for HBS 3 Hybrid Backup Sync, and clicking on the Update button.

According to BleepingComputer, there are currently more than 700,000 IP addresses with exposed rsync servers, but it’s difficult to determine how many can be exploited.

Via BleepingComputer

Weekly update

Trump faces backlash after posting AI image dressed as pope | Donald Trump News

Nearly 290,000 Gaza children on ‘the brink of death’ amid Israeli blockade | Israel-Palestine conflict News

Meta fighting Nigerian fines, warns could shut Facebook, Instagram

Weekly Newsletter

QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

Leave a comment

Leave a Reply Cancel reply

Explore more

Nearly 290,000 Gaza children on ‘the brink of death’ amid Israeli blockade | Israel-Palestine conflict News

Meta fighting Nigerian fines, warns could shut Facebook, Instagram

Sudan’s paramilitary Rapid Support Forces attack airport in Port Sudan | Sudan war

China denies accessing data after TikTok hit with huge EU fine

10 Lego cars just raced the F1 Miami Grand Prix track – here’s how they were built

AI is booming, but most CFOs say they still can’t make money from it

Lenovo#s ThinkPad P16s Gen 4 flexes AMD muscle but still trails HP’s AI workstation monster

Huge iPhone 17 Air news teased in new report – 3 things you need to know

Get to Know Us

Let's keep in touch