- QNAP said it fixed six flaws in its Hybrid Backup Sync tool
- The flaws came from rsync, an open source file synchronization tool
- Users are advised to update their HBS immediately
QNAP has fixed half a dozen vulnerabilities affecting its Hybrid Backup Sync (HBS) software.
In a security advisory, the company said vulnerabilities were discovered in rsync, an open source file synchronization tool used to transfer and synchronize files between systems. It supports local and remote operations over SSH and minimizes data transfer through incremental updates. Many backup solutions use rsync, including Duplicity, Bacula, Rclone and others.
HBS is a data backup and disaster recovery solution that supports local, remote, and cloud storage services.
Arbitrary code execution
The bugs are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088 and affect HBS 3 Hybrid Backup Sync 25.1.x. QNAP said they could have been used to remotely execute malicious code on unpatched network attached storage (NAS) endpoints. Apparently, malicious actors would only need anonymous read access to vulnerable servers to exploit the flaws.
“When combined, the first two vulnerabilities (buffer overflow and information leak) allow a client to execute arbitrary code on a device on which an Rsync server is running,” CERT said /CC when rsync 3.4.0 is released. “The client only requires anonymous read access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files from any connected client. “
To secure their systems, administrators are advised to update their HBS 3 Hybrid Backup Sync to version 25.1.4.952, by logging into QTS or QuTS hero as administrator, opening App Center and searching for HBS 3 Hybrid Backup Sync, then clicking Update. button.
According to BeepComputerThere are currently over 700,000 IP addresses with exposed rsync servers, but it is difficult to determine how many can be exploited.
Via BeepComputer
