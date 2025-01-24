QNAP said it addressed six flaws in its Hybrid Backup Sync tool

The flaws stemmed from rsync, an open-source file syncing tool

Users are advised to update their HBS immediately

QNAP has addressed half a dozen vulnerabilities affecting its Hybrid Backup Sync (HBS) software.

In a security advisory, the company noted the vulnerabilities were discovered in rsync, an open source file synchronization tool used to transfer and sync files between systems. It supports local and remote operations via SSH, and minimizes data transfer with incremental updates. Many backup solutions use rsync, including Duplicity, Bacula, Rclone, and others.

HBS is a data backup and disaster recovery solution that supports local, remote, and cloud storage services.

Arbitrary code execution

The bugs are tracked as CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, and CVE-2024-12088, and affect HBS 3 Hybrid Backup Sync 25.1.x. QNAP said they could have been used to run malicious code remotely against unpatched Network Attached Storage (NAS) endpoints. Apparently, threat actors would only need anonymous read access to vulnerable servers, in order to exploit the flaws.

"When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running," CERT/CC said when rsync 3.4.0 was released. "The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client."

To secure their systems, administrators are advised to update their HBS 3 Hybrid Backup Sync to version 25.1.4.952, by logging into QTS or QuTS hero as an admin, opening App Center and searching for HBS 3 Hybrid Backup Sync, and clicking on the Update button.

According to BleepingComputer, there are currently more than 700,000 IP addresses with exposed rsync servers, but it’s difficult to determine how many can be exploited.

Via BleepingComputer