Alert GCSA-24144 - Vulnerabilita' critiche in NAS QNAP


******************************************************************

Alert ID: GCSA-24144
data: 31 ottobre 2024
titolo: Vulnerabilita' critiche in NAS QNAP

******************************************************************

:: Descrizione del problema

QNAP ha corretto due vulnerabilita' critiche di tipo zero-day, sfruttate da
dei ricercatori di sicurezza durante l'hacking contest Pwn2Own Ireland 2024.

Maggiori informazioni sono disponibili alla sezione "Riferimenti".


:: Software interessato

CVE-2024-50387

SMB Service before version 4.15.002
SMB Service before version h4.15.002

CVE-2024-50388

HBS 3 Hybrid Backup Sync before version 25.1.1.673


:: Impatto

Esecuzione remota di codice arbitrario (RCE)
Bypass delle funzionalita' di sicurezza (SFB)


:: Soluzioni

Aggiornare i prodotti alle ultime versioni
https://www.qnap.com/en/security-advisory/qsa-24-41
https://www.qnap.com/en/security-advisory/qsa-24-42


:: Riferimenti

QNAP Security Advisory:
https://www.qnap.com/en/security-advisories

Bleeping Computer
https://www.bleepingcomputer.com/news/security/qnap-synology-lexmark-devices-hacked-on-pwn2own-day-3/
https://www.bleepingcomputer.com/news/security/qnap-fixes-nas-backup-software-zero-day-exploited-at-pwn2own/
https://www.bleepingcomputer.com/news/security/qnap-patches-second-zero-day-exploited-at-pwn2own-to-get-root/

SecurityWeek
https://www.securityweek.com/synology-qnap-truenas-address-vulnerabilities-exploited-at-pwn2own-ireland/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50388


GARR CERT Security Alert - subscribe/unsubscribe:
https://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----

iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZyPHYw0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCd5IAoMjuGFPZ4loTAMiKH/R/lAIT1/uIAJwMWIe52ijK
fGoAjoGJKM5J8Jy79A==
=Fuyx
-----END PGP SIGNATURE-----