Ethical Hacking News
QNAP has addressed six critical Rsync vulnerabilities in its NAS backup and recovery software. The fixes come as a response to heap buffer overflows, information leaks, server-leaked arbitrary client files, path traversal via the --inc-recursive option, bypasses of the --safe-links option, and symbolic link race conditions. Users are advised to update their HBS 3 Hybrid Backup Sync software to the latest version to patch these vulnerabilities.
QNAP has patched six critical vulnerabilities in its HBS 3 Hybrid Backup Sync app. The vulnerabilities affect heap buffer overflows, information leaks, server-leaked files, path traversal, bypasses of the --safe-links option, and symbolic link race conditions. These vulnerabilities have significant implications for users of Rsync, particularly those using QNAP's software as part of their backup and disaster recovery protocols. Exploiting these vulnerabilities could allow attackers to gain remote code execution on unpatched NAS devices. A Shodan search revealed that over 700,000 IP addresses have exposed Rsync servers, but it's unclear how many are vulnerable to attacks exploiting these security vulnerabilities. QNAP advises customers to update their software to the latest version (25.1.4.952) to patch the vulnerabilities.
In a recent update to its Network-Attached Storage (NAS) backup and disaster recovery software, QNAP has patched six critical vulnerabilities in its HBS 3 Hybrid Backup Sync app. The company's move is a response to the discovery of multiple heap buffer overflows, information leaks via uninitialized stack, server-leaked arbitrary client files, path traversal via the --inc-recursive option, bypasses of the --safe-links option, and symbolic link race conditions in the Rsync protocol.
According to Sergiu Gatlan, a news reporter who has covered cybersecurity and technology developments for over a decade, the vulnerabilities were identified as CVE-2024-12084 (heap buffer overflow), CVE-2024-12085 (information leak via uninitialized stack), CVE-2024-12086 (server-leaked arbitrary client files), CVE-2024-12087 (path traversal via --inc-recursive option), CVE-2024-12088 (bypasses of the --safe-links option), and CVE-2024-12747 (symbolic link race condition). These vulnerabilities have significant implications for users of Rsync, particularly those using QNAP's software as part of their backup and disaster recovery protocols.
The risks associated with these vulnerabilities are substantial. By exploiting them, attackers could gain remote code execution on unpatched NAS devices. This is particularly concerning given the widespread use of Rsync in various applications, including cloud and server management operations, public file distribution, and as part of backup solutions like Rclone, DeltaCopy, and ChronoSync.
CERT/CC had warned that when combined, these vulnerabilities could allow a client to execute arbitrary code on a device with an Rsync server running. The attackers required only anonymous read access to the vulnerable servers for this exploitation to occur. Furthermore, attackers could take control of malicious servers and read or write arbitrary files of any connected client.
A Shodan search revealed that more than 700,000 IP addresses have exposed Rsync servers, but it is unclear how many are vulnerable to attacks exploiting these security vulnerabilities since successful exploitation requires valid credentials or servers configured for anonymous connections.
QNAP has released a security advisory addressing the vulnerabilities in HBS 3 Hybrid Backup Sync 25.1.4.952 and advising customers to update their software to the latest version. To do this, users need to log on as an administrator, open App Center, search for HBS 3 Hybrid Backup Sync, wait for it to show up in the search results, click Update, and then OK in the follow-up confirmation message.
The security implications of these vulnerabilities cannot be overstated. As with any critical vulnerability, the potential for malicious actors to exploit them is significant. This highlights the need for users to keep their software up-to-date and exercise caution when accessing vulnerable systems or services.
In light of this update, cybersecurity experts remind users that it's essential to prioritize the security of their NAS devices and backup protocols. By staying informed about the latest vulnerabilities and taking steps to patch them promptly, individuals can minimize the risk of compromise and ensure the integrity of their data.
As technology continues to advance at a rapid pace, the importance of vigilance in cybersecurity cannot be overstated. The recent update by QNAP serves as a reminder that even seemingly secure software can have hidden vulnerabilities waiting to be discovered.
By remaining informed about emerging threats and taking proactive steps to address them, users can help safeguard their systems and data against malicious actors who seek to exploit these weaknesses.
Related Information:
https://www.bleepingcomputer.com/news/security/qnap-fixes-six-rsync-vulnerabilities-in-hbs-nas-backup-recovery-app/
https://www.hendryadrian.com/qnap-fixes-six-rsync-vulnerabilities-in-nas-backup-recovery-app/
https://nvd.nist.gov/vuln/detail/CVE-2024-12084
https://www.cvedetails.com/cve/CVE-2024-12084/
https://nvd.nist.gov/vuln/detail/CVE-2024-12085
https://www.cvedetails.com/cve/CVE-2024-12085/
https://nvd.nist.gov/vuln/detail/CVE-2024-12086
https://www.cvedetails.com/cve/CVE-2024-12086/
https://nvd.nist.gov/vuln/detail/CVE-2024-12087
https://www.cvedetails.com/cve/CVE-2024-12087/
https://nvd.nist.gov/vuln/detail/CVE-2024-12088
https://www.cvedetails.com/cve/CVE-2024-12088/
https://nvd.nist.gov/vuln/detail/CVE-2024-12747
https://www.cvedetails.com/cve/CVE-2024-12747/
Published: Thu Jan 23 18:04:26 2025 by llama3.2 3B Q4_K_M
