[SECURITY ADVISORY] Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

Introduce yourself to us and other members here, or share your own product reviews, suggestions, and tips and tricks of using QNAP products.
Post Reply
User avatar
Toxic17
Ask me anything
Posts: 5683
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

[SECURITY ADVISORY] Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

Post by Toxic17 » Thu Apr 22, 2021 9:28 pm

There appears to be a number of users affected by Ransomware (QLocker) due to this vulnerability. Please Update your HBS3 version ASAP

Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)
  • Release date: April 22, 2021
  • Security ID: QSA-21-13
  • Severity: Critical
  • CVE identifier: CVE-2021-28799
  • Affected products: QNAP NAS running HBS 3
  • Status: Resolved
Summary
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. )
If exploited, the vulnerability allows remote attackers to log in to a device.
We have already fixed this vulnerability in the following versions of HBS 3:
  • QTS 4.5.2: HBS 3 v16.0.0415 and later
  • QTS 4.3.6: HBS 3 v3.0.210412 and later
  • QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
  • QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
  • QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later
QNAP NAS running HBS 2 and HBS 1.3 are not affected.

Recommendation
To fix the vulnerability, we recommend updating HBS 3 to the latest version.
Updating HBS 3
  1. Log on to QTS or QuTS hero as administrator.
  2. Open the App Center and then click Image.
    A search box appears.
  3. Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
    HBS 3 appears in the search results.
  4. Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your HBS 3 is already up to date.
  5. Click OK.
    The application is updated.
Acknowledgements: ZUSO ART
Revision History:
V3.0 (May 1, 2021) - Support QTS 4.3.4 and 4.3.3
V2.0 (April 23, 2021) - Revise Acknowledgements
V1.0 (April 22, 2021) - Published
https://www.qnap.com/en/security-advisory/qsa-21-13

for all other vulnerabilities please check this link: https://www.qnap.com/en/security-advisories/

Subscribe to Security Advisories here: https://www.qnap.com/solution/topics-of-interest/en/

User avatar
Toxic17
Ask me anything
Posts: 5683
Joined: Tue Jan 25, 2011 11:41 pm
Location: Planet Earth
Contact:

Re: [SECURITY ADVISORY] Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

Post by Toxic17 » Mon May 03, 2021 5:53 pm

updated on 01 May 2021 by QNAP

Post Reply

Return to “Users' Corner”