QNAP has fixed six rsync vulnerabilities that could let attackers gain remote code execution on unpatched Network Attached Storage (NAS) devices.
Rsync is an open-source file synchronization tool that supports direct file syncing via its daemon, SSH transfers via SSH, and incremental transfers that save time and bandwidth.
It’s widely used by many backup solutions like Rclone, DeltaCopy, and ChronoSync, as well as in cloud and server management operations and public file distribution.
The flaws are tracked as CVE-2024-12084 (heap buffer overflow), CVE-2024-12085 (information leak via uninitialized stack), CVE-2024-12086 (server leaks arbitrary client files), CVE-2024-12087 (path traversal via –inc-recursive option), CVE-2024-12088 (bypass of –safe-links option), and CVE-2024-12747 (symbolic link race condition).
QNAP says they affect HBS 3 Hybrid Backup Sync 25.1.x, the company’s data backup and disaster recovery solution, which supports local, remote, and cloud storage services.
In a security advisory released on Thursday, QNAP said it addressed these vulnerabilities in HBS 3 Hybrid Backup Sync 25.1.4.952 and advised customers to update their software to the latest version.
To update the Hybrid Backup Sync installation on your NAS device, you will have to:
- Log on to QTS or QuTS hero as an administrator.
- Open App Center and search for HBS 3 Hybrid Backup Sync.
- Wait for HBS 3 Hybrid Backup Sync to show up in the search results
- Click Update and then OK in the follow-up confirmation message.
These Rsync flaws can be combined to create exploitation chains that lead to remote system compromise. The attackers only require anonymous read access to vulnerable servers.
“When combined, the first two vulnerabilities (heap buffer overflow and information leak) allow a client to execute arbitrary code on a device that has an Rsync server running,” warned CERT/CC one week ago when rsync 3.4.0 was released with security fixes.
“The client requires only anonymous read-access to the server, such as public mirrors. Additionally, attackers can take control of a malicious server and read/write arbitrary files of any connected client.”
A Shodan search shows more than 700,000 IP addresses with exposed rsync servers. However, it’s unclear how many of them are vulnerable to attacks exploiting these security vulnerabilities since successful exploitation requires valid credentials or servers configured for anonymous connections.