Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)
- Release date: April 22, 2021
- Security ID: QSA-21-13
- Severity: Critical
- CVE identifier: CVE-2021-28799
- Affected products: QNAP NAS running HBS 3
- Status: Resolved
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. )
If exploited, the vulnerability allows remote attackers to log in to a device.
We have already fixed this vulnerability in the following versions of HBS 3:
- QTS 4.5.2: HBS 3 v16.0.0415 and later
- QTS 4.3.6: HBS 3 v3.0.210412 and later
- QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
- QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
- QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later
Recommendation
To fix the vulnerability, we recommend updating HBS 3 to the latest version.
Updating HBS 3
- Log on to QTS or QuTS hero as administrator.
- Open the App Center and then click .
A search box appears. - Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
HBS 3 appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your HBS 3 is already up to date. - Click OK.
The application is updated.
Revision History:
V3.0 (May 1, 2021) - Support QTS 4.3.4 and 4.3.3
V2.0 (April 23, 2021) - Revise Acknowledgements
V1.0 (April 22, 2021) - Published
https://www.qnap.com/en/security-advisory/qsa-21-13
for all other vulnerabilities please check this link: https://www.qnap.com/en/security-advisories/
Subscribe to Security Advisories here: https://www.qnap.com/solution/topics-of-interest/en/