- Qnap said it addressed six flaws in its hybrid backup sync tool
- The flaws come from RSYNC, an open source file synchronization tool
- Users are advised to update their HBS immediately
QNAP has addressed half a dozen vulnerabilities affecting its hybrid backup synchronization software (HBS).
In a security advisory, the company said the vulnerabilities were discovered in RSYNC, an open source file synchronization tool used to transfer and synchronize files between systems. Supports local and remote operations over SSH, and minimizes data transfer with incremental updates. Many backup solutions use RSYNC, including Duplicity, Bacula, Rclone, and others.
HBS is a data backup and disaster recovery solution that supports local, remote and cloud storage services.
Arbitrary code execution
The bugs are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088, and affect HBS 3 Sync Hybrid Backup 25.1.x. QNAP said they could have been used to execute malicious code remotely against flicker-free network attached storage (NAS) endpoints. Apparently, threat actors would only need anonymous access to vulnerable servers to exploit the flaws.
“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an RSYNC server running,” CERT/CC said when RSYNC 3.4 was released. 0. “The client only requires anonymous read access to the server, like public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files from any connected client.”
To secure their systems, administrators are advised to update their HBS 3 Hybrid Backup Sync to version 25.1.4.952 by logging into QTS or QUTS Hero as an administrator, opening an App Center, and searching for a backup sync. hybrid security HBS 3, and clicking the update button.
According BleepingComputerThere are currently over 700,000 IP addresses with exposed RSYNC servers, but it is difficult to determine how many can be exploited.
Through BleepingComputer
