QNAP Patches Two Zero-Days Exploited at Pwn2Own Ireland 2024
October 31, 2024 – QNAP addressed two critical zero-day vulnerabilities exploited by security researchers during the recent Pwn2Own Ireland 2024 hacking competition.
First Vulnerability (CVE-2024-50387):
- Type: SQL Injection (SQLi)
- Impact: QNAP’s SMB Service
- Exploit: Argument injection and SQL injection to achieve root shell access on QNAP TS-464 NAS
- Patch: Version 4.15.002 or later
Second Vulnerability (CVE-2024-50388):
- Type: OS command injection
- Impact: HBS 3 Hybrid Backup Sync
- Exploit: Remote code execution
- Patch: HBS 3 Hybrid Backup Sync 25.1.1.673 and later
Additional details:
- Both vulnerabilities were reported to Trend Micro’s Zero Day Initiative
- QNAP addressed both vulnerabilities quickly despite having 90 days to do so
- The researchers who discovered the vulnerabilities received awards and recognition
This demonstrates the importance of responsible vulnerability disclosure and timely patching to mitigate potential security risks.
Further Information:
Social Media:
- Follow me on Twitter: @securityaffairs
Author:
Pierluigi Paganini
SecurityAffairs – Cybersecurity News & Insights