QNAP Patches Four Pwn2Own Vulnerabilities in QTS and QuTS hero

According to SecurityWeek, QNAP Systems has issued critical security updates addressing four CVE entries discovered during the Pwn2Own Ireland 2024 hacking competition. These vulnerabilities affect the QTS and QuTS hero operating systems, which power a wide range of QNAP Network Attached Storage (NAS) devices. The exploitation of these flaws during the event demonstrated that remote attackers could potentially gain RCE or access sensitive internal data, making remediation a high priority for SOC teams and system administrators.

Technical Analysis of CVE-2024-50387 and CVE-2024-50388

The most severe of the reported issues is CVE-2024-50387, which is characterized by improper authentication. This flaw allows an attacker to bypass standard security checks and achieve OS command injection. When combined with other vectors, this could lead to full system compromise. The vulnerability was successfully demonstrated by the Viettel Cyber Security team at Pwn2Own, earning them significant recognition in the bug bounty community.

In parallel, CVE-2024-50388 involves a stack-based buffer overflow. This type of vulnerability typically occurs when a program writes more data to a buffer than it can hold, overwriting adjacent memory. In the context of QNAP NAS devices, such an overflow can be weaponized to execute malicious code or cause a denial of service. Researching how to detect CVE-2024-50387 exploit attempts often reveals that these vulnerabilities are frequently targeted by Ransomware groups looking for an entry point into corporate networks.

Two additional vulnerabilities were addressed in this update cycle:

• CVE-2024-50389: An information exposure vulnerability that could allow attackers to read sensitive system details.
• CVE-2024-44682: A flaw involving missing authentication for a critical function, which could lead to unauthorized configuration changes.

Risk Assessment and Impact on NAS Security

NAS devices are frequent targets for an APT or financially motivated actors because they serve as central repositories for sensitive organizational data. Once an attacker gains access through a vulnerability like command injection, they often perform Lateral Movement to identify higher-value targets within the network. The CVSS scores for these vulnerabilities reflect a significant risk, particularly for devices exposed to the public internet.

The Pwn2Own contest serves as a Zero-Day showcase, and the rapid patching by QNAP highlights the severity of the findings. Security professionals should view these patches not just as routine maintenance but as a necessary defense against sophisticated TTP used in modern cyberattacks. Identifying the correct firmware path is essential for maintaining a secure storage environment.

Applying the QNAP QTS 5.2.2.2950 Firmware Update and Best Practices

To protect against these vulnerabilities, QNAP recommends that users update their firmware to the latest available versions. The fixes are included in:

• QTS 5.2.2.2950 build 20241114 and later
• QuTS hero h5.2.2.2950 build 20241114 and later

Beyond applying the QNAP QTS 5.2.2.2950 firmware update, defenders should implement a Zero Trust architecture for storage assets. This includes disabling unused services, ensuring that the NAS is not directly accessible from the internet, and using a VPN for remote access. Furthermore, integrating NAS logs into a SIEM can provide an early warning of Phishing or brute-force attempts targeting administrative accounts. Regularly reviewing IoC lists provided by vendors after such events is also a recommended practice for any organization utilizing networked storage.