QNAP Patches Zero-Day Flaw in QuRouter Following Pwn2Own Ireland 2024 Exploits

Summary: QNAP has swiftly addressed a critical zero-day vulnerability in its QuRouter network security appliance, which was exploited during the Pwn2Own hacking contest. The vulnerability, tracked as CVE-2024-50389, prompted QNAP to release a patch and urge users to update immediately to enhance security.

Threat Actor: Viettel Cyber Security | Viettel Cyber Security
Victim: QNAP | QNAP

Key Point :

  • Viettel Cyber Security exploited the vulnerability during the Pwn2Own contest, leading to a successful compromise of the QuRouter device.
  • QNAP released a patch for QuRouter versions 2.4.x, urging users to update to version 2.4.5.032 or later.
  • This incident follows the discovery of two other zero-day vulnerabilities in QNAP products, also identified by Viettel Cyber Security.
  • QNAP’s prompt response is notable, as it contrasts with the typical 90-day disclosure window for vulnerabilities discovered during such competitions.
  • Users are provided with clear instructions for updating their QuRouter firmware to mitigate risks associated with the vulnerability.

Taiwanese tech giant QNAP has moved quickly to address a critical zero-day vulnerability in its QuRouter network security appliance, exploited by security researchers during the recent Pwn2Own hacking contest in Ireland.

The vulnerability, tracked as CVE-2024-50389, allowed the Viettel Cyber Security team to compromise a QuRouter device and win a portion of the over $1 million in prize money awarded during the competition.

QNAP wasted no time in releasing a patch for the affected QuRouter 2.4.x versions, urging users to update to version 2.4.5.032 or later immediately. The company acknowledged Viettel Cyber Security for responsibly disclosing the vulnerability.

This incident follows hot on the heels of two other zero-day vulnerabilities patched by QNAP last week, also discovered by Viettel Cyber Security during Pwn2Own:

  • CVE-2024-50388: A flaw in the HBS 3 Hybrid Backup Sync solution that allowed attackers to execute arbitrary commands on a TS-464 NAS device.
  • CVE-2024-50387: A critical SQL injection vulnerability in QNAP’s SMB Service.

QNAP’s rapid response to these vulnerabilities is commendable, particularly in contrast to the typical 90-day window vendors have before details of Pwn2Own exploits are publicly released.

Updating your QuRouter is crucial to mitigate the risk posed by CVE-2024-50389. QNAP has provided clear instructions for updating to the latest firmware version:

  1. Log in to your QuRouter.
  2. Go to Firmware.
  3. Select Update now.
  4. Select Latest.
  5. Click Apply and confirm.

QuRouter will then download and install the necessary updates. Alternatively, users can manually download the latest firmware from the QNAP Download Center and apply it through the QuRouter interface.

Related Posts:

Source: https://securityonline.info/qnap-patches-zero-day-flaw-cve-2024-50389-in-qurouter-following-pwn2own-ireland-2024-exploits