Two major security issues hit QNAP users
In a way of working that looks like someone digging a trench while the other behind is covering it, and a third one is digging it yet again, this is another example of how bad software keeps cyber security in business. (Great read, by the way)
Bad software may be too harsh and flaws may range from exposed credentials, and misconfiguration to more advanced issues like miss-after-use or implicit flaws that C/C++ programming language can inherently do if the programmer does not allocate the memory properly or doesn’t analyze its code or use sanitizer for it.
Unfortunately, one of the biggest NAS (Network Attached Storages) company found itself in the dire need of fixing zero-day issues. Qnap was recently affected, but we are also monitoring and noting that the competitor NAS Synology also needed security patching.
We still consider self hosting as a great alternative to a cloud only usage, for business but even for personal usage. But as mentioned it the article, it comes with the need to handle security by yourself.
It sounds overly complex, but the same thing applies to using a smartphone or computer, so it can be as complex or easy as that, needing to keep in mind of what you install, try to keep it up to date especially when security patches are due, with monitoring, antivirus and backup solution in place. Sounds simple enough!
The zero-day vulnerability
On October 29 and 30, 2024, QNAP patched two critical zero-day vulnerabilities, CVE-2024-50387 and CVE-2024-50388, that were affecting their NAS devices.
YingMuo (DEVCORE Internship Program) discovered this critical SQL injection (SQLi) vulnerability, tracked as CVE-2024-50387, to gain a root shell and control a QNAP TS-464 NAS device at Pwn2Own Ireland 2024. This got Devcore $20,000 and 4 Master of Pwn points.
Confirmed! YingMuo (@YingMuo) working with DEVCORE Internship Program used an argument injection and a SQL injection to get their root shell on the QNAP TS-464 NAS. Their third-round victory gets them $20,000 and 4 Master of Pwn points. #Pwn2Own #P2OIreland pic.twitter.com/H4stJflv2M
— Zero Day Initiative (@thezdi) October 23, 2024
Fortunately, white hat hackers exploited (hopefully before the bad guys) the second 0-day vulnerability this against a TS-464 NAS device during the recent Pwn2Own Ireland 2024 hacking competition.
On Day three of Pwn2Own Ireland 2024, Ha The Long with Ha Anh Hoang of Viettel Cyber Security (@vcslab) inserted a command injection bug to exploit the QNAP TS-464 NAS. Their success granted them $10,000 and 4 Master of Pwn points.
While the sum looks impressive for what people would mention that is just a bug, however the fact that this vulnerability could allow remote attackers to execute arbitrary commands on affected devices, and that it was a critical zero day vulnerability, it’s worth every penny.
Confirmed! Ha The Long with Ha Anh Hoang of Viettel Cyber Security (@vcslab) used a single command injection bug to exploit the QNAP TS-464 NAS. Their fourth-round win nets them $10,000 and 4 Master of Pwn points. #Pwn2Own #P2OIreland pic.twitter.com/j3Jl35FLBo
— Zero Day Initiative (@thezdi) October 24, 2024
Conclusion
We would like to further state the fact that exposing your NAS to the internet may not be a great idea at all.
Even with timely patching, the older versions remain vulnerable for a significant period between patching and the fix taking effect. Especially since attackers scan the web with various tools to find vulnerable devices. Soon enough, waiting a day between finding a 0-day issue and patching it will become a security risk in itself.
Photo by Billy Freeman.