4/22/2021 Bob Zelin - new QNAP security update

[Bob Zelin]

I don't care if I am starting a new thread. I am REALLY ANGRY this morning, as my client base has been greatly affected by Qlocker.

Multimedia Console and Media Streaming add on, and the "update your firmware" does not apply to many of my clients (and if I am wrong about Multimedia Console - well, as you know - you can't uninstall Multimedia Console) -

And now 4/22/2021 - we get this -

Is this "the fix" - ? Who knows. I certainly have HBS3 and port 8899 opened on countless systems for remote syncing and remote backup on the QNAP's I have done.

Was HBS3 really the issue ?

Bob Zelin



Taipei, Taiwan, April 22, 2021 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync

Release date: April 22, 2021
Security ID: QSA-21-13
Severity rating: Critical
CVE identifier: CVE-2021-28799
Affected products: QNAP NAS running HBS 3 Hybrid Backup Sync

Summary

A hard-coded credentials vulnerability has been reported to affect QNAP NAS running HBS 3 Hybrid Backup Sync.

If exploited, the vulnerability allows remote attackers to log in to a device with the hard-coded credentials.

We have already fixed this vulnerability in the following versions of HBS 3 Hybrid Backup Sync:

QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later
Recommendation

To fix the vulnerability, we recommend updating HBS 3 Hybrid Backup Sync to the latest version.

Updating HBS 3 Hybrid Backup Sync

Log on to QTS or QuTS hero as administrator.
Open the App Center and then click .
A search box appears.
Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
HBS 3 Hybrid Backup Sync appears in the search results.
Click Update.
A confirmation message appears.
Note: The Update button is not available if your HBS 3 Hybrid Backup Sync is already up to date.
Click OK.
The application is updated.
Acknowledgements: ZUSO APT
Revision History: V1.0 (April 22, 2021) - Published

[dolbyman]

I think there was a "hard coded credential" issue in another app not too long ago.

Really underlines that no part of any QNAP app should be web exposed. I am sure this can shatter customers (qnap and yours in this case) confidence.

I think VPN should be the only way forward here and either consumer grade VPN routers or cheap whitebox pfsense hardware should prevent this in the future(if costs are a big factor with clients..otherwise they can also do some more "beefy" solutions)

[Toxic17]

QNAP have release more info, I've copied/pated it into a Global Announcement since no update from QNAP in the forums are forthcoming.

viewtopic.php?f=45&t=160886

[Mousetick]

At this point it doesn't really matter which vulnerability is being exploited, which of the various QNAP holes is the cause of the issue. There were many security vulnerabilities before and there will be more in the future for sure.

The only effective protection is "to disconnect". What users need to realize, and business users in particular, is that these devices are not fit for any online use, security-wise. They are toys designed by incompetent amateurs on the software side.

Unless your business name is Cloudflare or similar, don't try to run your own cloud services from your home or office, especially if you rely on toys. Online security is hard, it requires money and expertise to do properly.

Business users should invest either to outsource their clouding to specialized 3rd-party services, or to acquire adequate equipment in-house to harden their internet-facing network and self-host their cloud services. They can acquire the expertise required to configure and operate such equipment in-house, or rent it from outside consultants. It's not easy nor cheap, but nobody ever said it would be, except the vendors like QNAP who peddle their wares to the gullible customers.

As as been suggested, a VPN + firewall appliance would be a good start, but most business or home users don't have the basic knowledge to select and configure such products, nor are they inclined, understandably so, to spend the time to acquire such knowledge.

As a consultant, you may want to make it part of your job to educate and advise your clients on those issues.

Bottom line: no matter how much advice provided by QNAP a user follows, no matter how many updates are applied, the device itself cannot be trusted to be secure as long as it's connected to and directly accessible from, the internet.

[AlastairStevenson]

Well said, pretty well spot on.

The only effective protection is "to disconnect".

Except that a carefully chosen VPN implementation is a pretty effective solution to needed connectivity over the internet.
It's a technology that's been used with a high degree of security, for decades now.