Alert GCSA-24144 - Vulnerabilita' critiche in NAS QNAP
******************************************************************
Alert ID: GCSA-24144
data: 31 ottobre 2024
titolo: Vulnerabilita' critiche in NAS QNAP
******************************************************************
:: Descrizione del problema
QNAP ha corretto due vulnerabilita' critiche di tipo zero-day, sfruttate da
dei ricercatori di sicurezza durante l'hacking contest Pwn2Own Ireland 2024.
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
CVE-2024-50387
SMB Service before version 4.15.002
SMB Service before version h4.15.002
CVE-2024-50388
HBS 3 Hybrid Backup Sync before version 25.1.1.673
:: Impatto
Esecuzione remota di codice arbitrario (RCE)
Bypass delle funzionalita' di sicurezza (SFB)
:: Soluzioni
Aggiornare i prodotti alle ultime versioni
https://www.qnap.com/en/security-advisory/qsa-24-41
https://www.qnap.com/en/security-advisory/qsa-24-42
:: Riferimenti
QNAP Security Advisory:
https://www.qnap.com/en/security-advisories
Bleeping Computer
https://www.bleepingcomputer.com/news/security/qnap-synology-lexmark-devices-hacked-on-pwn2own-day-3/
https://www.bleepingcomputer.com/news/security/qnap-fixes-nas-backup-software-zero-day-exploited-at-pwn2own/
https://www.bleepingcomputer.com/news/security/qnap-patches-second-zero-day-exploited-at-pwn2own-to-get-root/
SecurityWeek
https://www.securityweek.com/synology-qnap-truenas-address-vulnerabilities-exploited-at-pwn2own-ireland/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50388
GARR CERT Security Alert - subscribe/unsubscribe:
https://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZyPHYw0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCd5IAoMjuGFPZ4loTAMiKH/R/lAIT1/uIAJwMWIe52ijK
fGoAjoGJKM5J8Jy79A==
=Fuyx
-----END PGP SIGNATURE-----
Alert ID: GCSA-24144
data: 31 ottobre 2024
titolo: Vulnerabilita' critiche in NAS QNAP
******************************************************************
:: Descrizione del problema
QNAP ha corretto due vulnerabilita' critiche di tipo zero-day, sfruttate da
dei ricercatori di sicurezza durante l'hacking contest Pwn2Own Ireland 2024.
Maggiori informazioni sono disponibili alla sezione "Riferimenti".
:: Software interessato
CVE-2024-50387
SMB Service before version 4.15.002
SMB Service before version h4.15.002
CVE-2024-50388
HBS 3 Hybrid Backup Sync before version 25.1.1.673
:: Impatto
Esecuzione remota di codice arbitrario (RCE)
Bypass delle funzionalita' di sicurezza (SFB)
:: Soluzioni
Aggiornare i prodotti alle ultime versioni
https://www.qnap.com/en/security-advisory/qsa-24-41
https://www.qnap.com/en/security-advisory/qsa-24-42
:: Riferimenti
QNAP Security Advisory:
https://www.qnap.com/en/security-advisories
Bleeping Computer
https://www.bleepingcomputer.com/news/security/qnap-synology-lexmark-devices-hacked-on-pwn2own-day-3/
https://www.bleepingcomputer.com/news/security/qnap-fixes-nas-backup-software-zero-day-exploited-at-pwn2own/
https://www.bleepingcomputer.com/news/security/qnap-patches-second-zero-day-exploited-at-pwn2own-to-get-root/
SecurityWeek
https://www.securityweek.com/synology-qnap-truenas-address-vulnerabilities-exploited-at-pwn2own-ireland/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50387
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50388
GARR CERT Security Alert - subscribe/unsubscribe:
https://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iGsEAREIACsWIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZyPHYw0cY2VydEBnYXJy
Lml0AAoJEMGcTJNlEmBCd5IAoMjuGFPZ4loTAMiKH/R/lAIT1/uIAJwMWIe52ijK
fGoAjoGJKM5J8Jy79A==
=Fuyx
-----END PGP SIGNATURE-----