QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

LovabledanielsJanuary 24, 202570 Views

QNAP said it addressed six flaws in its Hybrid Backup Sync tool
The flaws stemmed from rsync, an open-source file syncing tool
Users are advised to update their HBS immediately

QNAP has addressed half a dozen vulnerabilities affecting its Hybrid Backup Sync (HBS) software.

In a security advisory, the company noted the vulnerabilities were discovered in rsync, an open source file synchronization tool used to transfer and sync files between systems. It supports local and remote operations via SSH, and minimizes data transfer with incremental updates. Many backup solutions use rsync, including Duplicity, Bacula, Rclone, and others.

HBS is a data backup and disaster recovery solution that supports local, remote, and cloud storage services.

Arbitrary code execution

The bugs are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088, and affect HBS 3 Hybrid Backup Sync 25.1.x. QNAP said they could have been used to run malicious code remotely against unpatched Network Attached Storage (NAS) endpoints. Apparently, threat actors would only need anonymous read access to vulnerable servers, in order to exploit the flaws.

“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running,” CERT/CC said when rsync 3.4.0 was released. “The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client.”

To secure their systems, administrators are advised to update their HBS 3 Hybrid Backup Sync to version 25.1.4.952, by logging into QTS or QuTS hero as an admin, opening App Center and searching for HBS 3 Hybrid Backup Sync, and clicking on the Update button.

According to BleepingComputer, there are currently more than 700,000 IP addresses with exposed rsync servers, but it’s difficult to determine how many can be exploited.

Via BleepingComputer

Weekly update

Humanoid robots stride into the future with world’s first half-marathon

Tunisian court hands opposition figures lengthy jail terms | Human Rights News

‘We told the story we wanted to tell’: Andor lead star opens up on Disney’s decision to end the Star Wars show after two seasons on Disney+

Weekly Newsletter

QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

Leave a comment

Leave a Reply Cancel reply

Explore more

Tunisian court hands opposition figures lengthy jail terms | Human Rights News

‘We told the story we wanted to tell’: Andor lead star opens up on Disney’s decision to end the Star Wars show after two seasons on Disney+

Could an earthquake shift the balance in Myanmar’s civil war? | Military News

US Supreme Court orders temporary halt to deportations under antique law | Donald Trump News

Lenovo ThinkPad P14s Gen 6 appears online and this 12-core mobile workstation could be Lenovo’s most powerful AMD laptop yet

You’ll be lucky to get 1-hour battery life but at least this laptop is one of the fastest in the world with up to 32TB SSD

YouTube Music listeners are getting a very handy new volume control

Quordle hints and answers for Sunday, April 20 (game #1182)

Get to Know Us

Let's keep in touch