
QNAP has addressed six significant rsync vulnerabilities that posed remote code execution risks to Network Attached Storage (NAS) devices. The vulnerabilities affect the company’s HBS 3 Hybrid Backup Sync solution, version 25.1.x.
The identified vulnerabilities include:
– CVE-2024-12084: Heap buffer overflow
– CVE-2024-12085: Information leak via uninitialized stack
– CVE-2024-12086: Server file leakage
– CVE-2024-12087: Path traversal vulnerability
– CVE-2024-12088: Safe-links option bypass
– CVE-2024-12747: Symbolic link race condition
Security Impact:
These flaws can be combined to create exploitation chains leading to remote system compromise. Attackers only need anonymous read access to vulnerable servers to execute arbitrary code on devices running an Rsync server.
Current Exposure:
Shodan reveals over 700,000 IP addresses with exposed rsync servers, though exploitation requires valid credentials or anonymous access configuration.
Resolution:
QNAP has released HBS 3 Hybrid Backup Sync version 25.1.4.952 to patch these vulnerabilities. Users can update through the following steps:
1. Log in to QTS/QuTS hero as administrator
2. Access App Center
3. Search for HBS 3 Hybrid Backup Sync
4. Click Update and confirm
Users are strongly advised to update their systems immediately to protect against potential attacks.