Synology, QNAP and TrueNAS have started patching and mitigating the vulnerabilities exploited recently at Pwn2Own Ireland 2024.
Participants earned a total of more than $1 million at the Pwn2Own Ireland 2024 hacking competition organized by Trend Micro’s Zero Day Initiative (ZDI) last week. White hat hackers successfully demonstrated exploit chains targeting cameras, printers, NAS devices, smart speakers, and smartphones.
Some of the vendors whose products were targeted during the competition went to work immediately after the researchers shared the details of their exploits, and a few of the more than 70 demonstrated flaws have already been patched.
Synology has published two advisories to inform customers that critical vulnerabilities exploited at Pwn2Own against its data storage products have been patched. Specifically, the vendor fixed remote code execution vulnerabilities in Photos for DMS and BeePhotos for BeeStation.
Synology product exploits earned participants a total of $260,000 at Pwn2Own.
QNAP on Monday released an advisory to inform customers that it has patched CVE-2024-50388, a critical OS command injection vulnerability in the HBS 3 Hybrid Backup Sync data backup and disaster recovery solution. The flaw can be exploited for remote command execution.
The security hole was reported by Viettel Cyber Security, the team that won Pwn2Own Ireland 2024 and earned a total of $205,000 for its exploits.
QNAP router and NAS product exploits earned participants $350,000, but much of the amount was paid out for exploit chains that targeted products from other vendors as well.
TrueNAS has also published an advisory to address Pwn2Own results. The company has started working on patches, but informed customers that the vulnerabilities were demonstrated against default, non-hardened installations, and following recommendations outlined in TrueNAS’s security guidance significantly reduces exposure.
Related: VMware Patches Vulnerabilities Exploited at Pwn2Own 2024
Related: Hackers Earn $1.3M for Tesla, EV Charger, Infotainment Exploits at Pwn2Own Automotive
Related: Google Patches Chrome Flaw That Earned Hackers $42,500 at Pwn2Own
Related: Mozilla Patches Firefox Zero-Days Exploited at Pwn2Own
