I don't care if I am starting a new thread. I am REALLY ANGRY this morning, as my client base has been greatly affected by Qlocker.
Multimedia Console and Media Streaming add on, and the "update your firmware" does not apply to many of my clients (and if I am wrong about Multimedia Console - well, as you know - you can't uninstall Multimedia Console) -
And now 4/22/2021 - we get this -
Is this "the fix" - ? Who knows. I certainly have HBS3 and port 8899 opened on countless systems for remote syncing and remote backup on the QNAP's I have done.
Was HBS3 really the issue ?
Bob Zelin
Taipei, Taiwan, April 22, 2021 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.
Hard-Coded Credentials Vulnerability in HBS 3 Hybrid Backup Sync
Release date: April 22, 2021
Security ID: QSA-21-13
Severity rating: Critical
CVE identifier: CVE-2021-28799
Affected products: QNAP NAS running HBS 3 Hybrid Backup Sync
Summary
A hard-coded credentials vulnerability has been reported to affect QNAP NAS running HBS 3 Hybrid Backup Sync.
If exploited, the vulnerability allows remote attackers to log in to a device with the hard-coded credentials.
We have already fixed this vulnerability in the following versions of HBS 3 Hybrid Backup Sync:
QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later
QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later
QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later
QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later
Recommendation
To fix the vulnerability, we recommend updating HBS 3 Hybrid Backup Sync to the latest version.
Updating HBS 3 Hybrid Backup Sync
Log on to QTS or QuTS hero as administrator.
Open the App Center and then click .
A search box appears.
Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
HBS 3 Hybrid Backup Sync appears in the search results.
Click Update.
A confirmation message appears.
Note: The Update button is not available if your HBS 3 Hybrid Backup Sync is already up to date.
Click OK.
The application is updated.
Acknowledgements: ZUSO APT
Revision History: V1.0 (April 22, 2021) - Published
4/22/2021 Bob Zelin - new QNAP security update
-
- Experience counts
- Posts: 1375
- Joined: Mon Nov 21, 2016 12:55 am
- Location: Orlando, FL.
- Contact:
4/22/2021 Bob Zelin - new QNAP security update
Bob Zelin / Rescue 1, Inc.
http://www.bobzelin.com
http://www.bobzelin.com
- dolbyman
- Guru
- Posts: 35273
- Joined: Sat Feb 12, 2011 2:11 am
- Location: Vancouver BC , Canada
Re: 4/22/2021 Bob Zelin - new QNAP security update
I think there was a "hard coded credential" issue in another app not too long ago.
Really underlines that no part of any QNAP app should be web exposed. I am sure this can shatter customers (qnap and yours in this case) confidence.
I think VPN should be the only way forward here and either consumer grade VPN routers or cheap whitebox pfsense hardware should prevent this in the future(if costs are a big factor with clients..otherwise they can also do some more "beefy" solutions)
Really underlines that no part of any QNAP app should be web exposed. I am sure this can shatter customers (qnap and yours in this case) confidence.
I think VPN should be the only way forward here and either consumer grade VPN routers or cheap whitebox pfsense hardware should prevent this in the future(if costs are a big factor with clients..otherwise they can also do some more "beefy" solutions)
- Toxic17
- Ask me anything
- Posts: 6477
- Joined: Tue Jan 25, 2011 11:41 pm
- Location: Planet Earth
- Contact:
Re: 4/22/2021 Bob Zelin - new QNAP security update
QNAP have release more info, I've copied/pated it into a Global Announcement since no update from QNAP in the forums are forthcoming.
viewtopic.php?f=45&t=160886
viewtopic.php?f=45&t=160886
Regards Simon
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
Qnap Downloads
MyQNap.Org Repository
Submit a ticket • QNAP Helpdesk
QNAP Tutorials, User Manuals, FAQs, Downloads, Wiki
When you ask a question, please include the following
NAS: TS-673A QuTS hero h5.1.2.2534 • TS-121 4.3.3.2420 • APC Back-UPS ES 700G
Network: VM Hub3: 500/50 • UniFi UDM Pro: 3.2.9 • UniFi Network Controller: 8.0.28
USW-Aggregation: 6.6.61 • US-16-150W: 6.6.61 • 2x USW Mini Flex 2.0.0 • UniFi AC Pro 6.6.62 • UniFi U6-LR 6.6.62
UniFi Protect: 2.11.21/8TB Skyhawk AI • 3x G3 Instants: 4.69.55 • UniFi G3 Flex: 4.69.55 • UniFi G5 Flex: 4.69.55
-
- Experience counts
- Posts: 1081
- Joined: Thu Aug 24, 2017 10:28 pm
Re: 4/22/2021 Bob Zelin - new QNAP security update
At this point it doesn't really matter which vulnerability is being exploited, which of the various QNAP holes is the cause of the issue. There were many security vulnerabilities before and there will be more in the future for sure.
The only effective protection is "to disconnect". What users need to realize, and business users in particular, is that these devices are not fit for any online use, security-wise. They are toys designed by incompetent amateurs on the software side.
Unless your business name is Cloudflare or similar, don't try to run your own cloud services from your home or office, especially if you rely on toys. Online security is hard, it requires money and expertise to do properly.
Business users should invest either to outsource their clouding to specialized 3rd-party services, or to acquire adequate equipment in-house to harden their internet-facing network and self-host their cloud services. They can acquire the expertise required to configure and operate such equipment in-house, or rent it from outside consultants. It's not easy nor cheap, but nobody ever said it would be, except the vendors like QNAP who peddle their wares to the gullible customers.
As as been suggested, a VPN + firewall appliance would be a good start, but most business or home users don't have the basic knowledge to select and configure such products, nor are they inclined, understandably so, to spend the time to acquire such knowledge.
As a consultant, you may want to make it part of your job to educate and advise your clients on those issues.
Bottom line: no matter how much advice provided by QNAP a user follows, no matter how many updates are applied, the device itself cannot be trusted to be secure as long as it's connected to and directly accessible from, the internet.
The only effective protection is "to disconnect". What users need to realize, and business users in particular, is that these devices are not fit for any online use, security-wise. They are toys designed by incompetent amateurs on the software side.
Unless your business name is Cloudflare or similar, don't try to run your own cloud services from your home or office, especially if you rely on toys. Online security is hard, it requires money and expertise to do properly.
Business users should invest either to outsource their clouding to specialized 3rd-party services, or to acquire adequate equipment in-house to harden their internet-facing network and self-host their cloud services. They can acquire the expertise required to configure and operate such equipment in-house, or rent it from outside consultants. It's not easy nor cheap, but nobody ever said it would be, except the vendors like QNAP who peddle their wares to the gullible customers.
As as been suggested, a VPN + firewall appliance would be a good start, but most business or home users don't have the basic knowledge to select and configure such products, nor are they inclined, understandably so, to spend the time to acquire such knowledge.
As a consultant, you may want to make it part of your job to educate and advise your clients on those issues.
Bottom line: no matter how much advice provided by QNAP a user follows, no matter how many updates are applied, the device itself cannot be trusted to be secure as long as it's connected to and directly accessible from, the internet.
-
- Experience counts
- Posts: 2415
- Joined: Wed Jan 08, 2014 10:34 pm
Re: 4/22/2021 Bob Zelin - new QNAP security update
Well said, pretty well spot on.
It's a technology that's been used with a high degree of security, for decades now.
Except that a carefully chosen VPN implementation is a pretty effective solution to needed connectivity over the internet.The only effective protection is "to disconnect".
It's a technology that's been used with a high degree of security, for decades now.
TS-431+ for storage and media and a bunch of IP cams under Surveillance Station. TVS-473 as files backup and QVR Pro.