QNAP on Jan. 23 issued patches for six bugs in the open-source Rsync software that helps manage its popular network-attached storage (NAS) devices that are primarily used for backup and disaster recovery.
In its advisory, QNAP said the bugs affect HBS 3 Hybrid Backup Sync 25.1.x NAS devices, and recommended that customers update those systems to the latest version.
The patch was considered significant because QNAP controls nearly 25% of the NAS market, and Rsync is an open-source file synchronization tool that’s used in many other popular NAS systems, such as Rclone, DeltaCopy, and ChronoSync.
Rsync, short for remote synchronization, lets users remotely copy files from one system to another and then keep those files in sync with the original files if any changes happen.
Billy Hoffman, Field CTO at Ionix, explained that if the flaws were combined, attackers could do remote command execution or read/write arbitrary files.
“Because it is open source and has been around for nearly 30 years, Rsync is at the heart of many consumers and business backup or storage systems,” said Hoffman. “While those are bad, the bigger issue here will be the delay in fixing all the products that use Rsync. Do you really think people in a small office using a NAS/backup appliance powered by Rsync regularly check for updates in that plastic shoebox-looking thing in the telephone closet? There’s a long trail of products, from a long trail of vendors that needs to be updated.”
Trey Ford, chief information security officer at Bugcrowd, said this QNAP vulnerability really hits home with small business and home users, who are now experiencing the diligence required in managing open-source software.
“Obviously, keeping all our systems up to date is important — not just for those personal devices we use every day, but for systems we often set up and forget about — routers, smart devices, and in this case – storage devices,” said Ford. “Keeping systems like these from listening or serving requests from the public internet is important. The backup services can call out to offsite backup locations in major cloud providers.”
John Gallagher, vice president of Viakoo Labs, pointed out that a 2023 Censys study found that only 2% of QNAP NAS devices were patched to the latest version.
“Remote code execution and remote system compromise is as serious as it gets,” said Gallagher. “Because of the inherent connectivity they have, cloud-based sync and internal sync, they can be exploited.
Gallagher said organizations using NAS drives need to deploy an IoT/OT asset discovery solution so they can take an accurate inventory, and have an automated method to patch devices at scale.
