Qnap is launching a patch for Hybrid Backup Sync 3, which tool is vulnerable to bugs in Rsync that HBS also uses.
Qnap is launching a patch that should close loopholes opened by Rsync. Rsync is vulnerable to several bugs:
- CVE-2024-12084: heap buffer overflow that an attacker can exploit;
- CVE-2024-12086: a bug where an attacker can get to files;
- CVE-2024-12087: a path traversal bug that allows an attacker to write malicious files to arbitrary locations;
- CVE-2024-12088: another path traversal bug based on how symbolic links are handled;
- CVE-2024-12747: A bug in the handling of symbolic links, where the default behavior of Rsync can be bypassed allowing an attacker to touch sensitive information.
Hybrid Backup Sync 3 uses Rsync and as such is vulnerable. Qnap is therefore launching an urgent update for HBS 3. Updating can be done easily from the QTS or QuTS dashboard. From there, users need to go to the App Center navigate, search for HBS 3 Hybrid Backup Sync and click the Update-button.
Quick update
It is important to perform the update quickly, as all the vulnerabilities combine to form a powerful toolbox for attackers. The bugs allow hackers to execute their own code and possibly steal data from a server. Anonymous read access is sufficient to carry out the attack. In the worst case, a hacker can take control of a device.
Worldwide, Shodan sees more than 750,000 servers running Rsync, although it is not clear how many of them are vulnerable. Rsync is also widely used, and not just by Qnap.