QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

QNAP said it addressed six flaws in its Hybrid Backup Sync tool
The flaws stemmed from rsync, an open-source file syncing tool
Users are advised to update their HBS immediately

QNAP has addressed half a dozen vulnerabilities affecting its Hybrid Backup Sync (HBS) software.

In a security advisory, the company noted the vulnerabilities were discovered in rsync, an open source file synchronization tool used to transfer and sync files between systems. It supports local and remote operations via SSH, and minimizes data transfer with incremental updates. Many backup solutions use rsync, including Duplicity, Bacula, Rclone, and others.

HBS is a data backup and disaster recovery solution that supports local, remote, and cloud storage services.

Arbitrary code execution

The bugs are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088, and affect HBS 3 Hybrid Backup Sync 25.1.x. QNAP said they could have been used to run malicious code remotely against unpatched Network Attached Storage (NAS) endpoints. Apparently, threat actors would only need anonymous read access to vulnerable servers, in order to exploit the flaws.

“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running,” CERT/CC said when rsync 3.4.0 was released. “The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client.”

To secure their systems, administrators are advised to update their HBS 3 Hybrid Backup Sync to version 25.1.4.952, by logging into QTS or QuTS hero as an admin, opening App Center and searching for HBS 3 Hybrid Backup Sync, and clicking on the Update button.

According to BleepingComputer, there are currently more than 700,000 IP addresses with exposed rsync servers, but it’s difficult to determine how many can be exploited.

Via BleepingComputer

https://cdn.mos.cms.futurecdn.net/zjafjw6AeTXTuuLetiazgC-1200-80.jpg

Source link

Buyer beware: Asus’ Q-Release Slim feature is reportedly damaging GPUs like the RTX 5090

Epson EpiqVision Mini EF22 review: a well-rounded portable laser projector with Google TV

How to watch Chelsea vs Arsenal: free WSL live streams

I just saw Dreame’s new robot vacuum with feet, and I’m ready to throw out my Roborock

What UK political parties are promising in the 2019 general election

Otto Warmbier’s parents want North Korea to suffer for their son’s death

Could a ‘youthquake’ cause Boris Johnson to lose the general election?

People are driving through flames to escape this California wildfire

Which Celebrity Styles Americans Copy Most in 2025: New Study

New ‘Westworld’ trailer introduces us to another dystopian tech company

What’s the point of ‘Charlie’s Angels’ without Sam Rockwell dancing?

These striking photos capture the future of human flight

Trump vs. Harris: How the election will affect EV adoption

Lumwana’s Super Pit Expansion Officially Launched By Investing.com

How Biden could use a 1947 law to suspend the dockworkers’ strike

Why your Roth IRA conversions could have ‘unintended’ tax consequences

The YouTuber who has become one of Gen Z’s most beloved celebrities

26 last-minute holiday gifts that are still thoughtful and unique

Practicing gratitude regularly can make you less stressed and sleep better

8 things millennials wish you would just stop getting them for the holidays

QNAP says it has fixed several major vulnerabilities in NAS backup, recovery app

Buyer beware: Asus’ Q-Release Slim feature is reportedly damaging GPUs like the RTX 5090

Epson EpiqVision Mini EF22 review: a well-rounded portable laser projector with Google TV

How to watch Chelsea vs Arsenal: free WSL live streams

I just saw Dreame’s new robot vacuum with feet, and I’m ready to throw out my Roborock

Leave a reply Cancel reply