The Pwn2Own Hacking Competition Was Busy This Year
Last week at Pwn2Own there were serious flaws discovered in QNAP and Synology NAS software, and this week those companies have released patches for them. In Synology’s case, several versions of both BeePhotos for BeeStation and Synology Photos for DSM open you up to serious pain. The unpatched software would allow attackers to trigger remote code execution as root on vulnerable NAS appliances exposed online. For QNAP owners it is an SQL injection vulnerability which could ruin their day. The flaw is present in QNAP TS-464 NAS devices and in the HBS 3 Hybrid Backup Sync disaster recovery and data backup solution.
In both cases, the companies do not push the updates, you will need to update them manually. Please check the links to Bleeping Computer for steps on how to do that if you aren’t 100% sure of the process. The decision not to push updates is common with NAS device sellers, these devices need to remain up and running, so unexpected reboots or even software updates could impact the availability of the NAS devices. Check for outstanding updates and plan accordingly!
