Summary:
QNAP recently published security updates to address two critical zero-day flaws impacting its network-attached storage (NAS) devices, which were exploited by security researchers during the Pwn2Own hacking contest in Ireland last week.

The first of the vulnerabilities patched, tracked as CVE-2024-50388, pertains to an OS command injection weakness in QNAP's HBS 3 Hybrid Backup Sync disaster recovery and data backup solution and was exploited by Viettel Cyber Security's team to execute arbitrary commands and hack a TS-464 NAS device. QNAP has addressed this issue in HBS 3 Hybrid Backup Sync versions 25.1.1.673 and later. To apply the update, users should log in to QTS or QuTS hero as an administrator, open the App Center, search for "HBS 3 Hybrid Backup Sync," and click on "Update." Note: the update button will not be available if HBS 3 Hybrid Backup Sync is already up-to-date.

The second vulnerability tracked as CVE-2024-50387, relates to a SQL injection flaw in QNAP's SMB service. Notably, security researcher YingMou (working with the DEVCORE Internship Program) was able to exploit this flaw to gain a root shell and take over a QNAP TS-464 NAS device. CVE-2024-50387 has since been fixed in versions 4.15.002 or later and h4.15.002 and later. Instructions on updating the SMB service can be found here.

Security Officer Comments:
QNAP NAS devices are commonly used by organizations to store and back up sensitive data and files, making them attractive targets for actors. Ransomware groups, in particular, have seeked out such devices to install their malware strains and encrypt data stored on these devices to force victims to pay a ransom. Recent ransomware attacks targeting QNAP devices include Deadbolt, Checkmate, and eChoraix campaigns, which exploited security vulnerabilities to encrypt data on internet-exposed NAS devices. QNAP devices have also acted C2 infrastructure for operations like Raspberry Robin, which is known for spreading malware via USB drives and using compromised NAS devices to store and fetch various payloads.

Suggested Corrections:
Organizations should apply the latest patches released to prevent potential exploitation. Given that actors are known for launching brute-force attacks to gain access to NAS devices, organizations should also change default credentials and ensure the use of strong passwords as per the guidelines (SP 800-63-4) specified by NIST. Furthermore, enabling multi-factoring authentication (MFA) can be crucial in deterring potential device compromises. Below is a step-by-step guide on how to set up MFA:

https://www.qnap.com/en-us/how-to/faq/article/setting-up-the-2-step-verification-to-login-in-nas

Link(s):
https://www.bleepingcomputer.com/ne...nd-zero-day-exploited-at-pwn2own-to-get-root/

https://www.qnap.com/en/security-advisory/qsa-24-41

https://www.qnap.com/en/security-advisory/qsa-24-42