CVE-2024-50387: Critical QNAP Flaw Exploited in Hacking Contest, Patch Now!
In a thrilling showdown at the recent Pwn2Own Ireland 2024 hacking competition, white hat hackers YingMuo (@YingMuo), in collaboration with the DEVCORE Internship Program, successfully exploited a critical zero-day vulnerability in QNAP’s SMB Service. This vulnerability, tracked as CVE-2024-50387, allowed the team to gain complete control of a QNAP TS-464 NAS device.
The attack, which involved a clever combination of argument injection and SQL injection techniques, earned the team a $20,000 prize and 4 Master of Pwn points.
Confirmed! YingMuo (@YingMuo) working with DEVCORE Internship Program used an argument injection and a SQL injection to get their root shell on the QNAP TS-464 NAS. Their third-round victory gets them $20,000 and 4 Master of Pwn points. #Pwn2Own #P2OIreland pic.twitter.com/H4stJflv2M
— Zero Day Initiative (@thezdi) October 23, 2024
QNAP, known for its robust NAS solutions, responded swiftly to the discovery. Despite having a 90-day grace period before public disclosure, the company promptly released updates to address the vulnerability. Users of QNAP NAS devices are strongly urged to update their SMB Service to version 4.15.002 or later to mitigate the risk of exploitation.
Updating your QNAP NAS is a straightforward process:
- Log in: Access your QTS or QuTS hero interface as an administrator.
- Open App Center: Locate and launch the App Center.
- Search for SMB Service: Use the search box to find “SMB Service.”
- Update: Click the “Update” button next to the SMB Service listing.
- Confirm: Confirm the update process to install the latest version.
Unpatched vulnerabilities like CVE-2024-50387 expose systems to unauthorized access, data theft, and other cybersecurity risks. While the vulnerability has been responsibly disclosed and fixed, NAS users should remain vigilant with frequent updates and regular system checks.
