Qnap Security Advisory | Bulletin ID: QSA-21-13

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products. Use the following information and solutions to correct the security issues and vulnerabilities.

Hard-coded credentials vulnerability in HBS 3 Hybrid Backup Sync:
Release date: April 22, 2021
Security ID: QSA-21-13
Severity rating: Critical
CVE identifier: CVE-2021-28799
Affected products: Qnap NAS running HBS 3 Hybrid Backup Sync

Summary:
A hard-coded credentials vulnerability has been reported to affect the firm’s NAS running HBS 3 Hybrid Backup Sync.

If exploited, the vulnerability allows remote attackers to log in to a device with the hard-coded credentials.

The company have already fixed this vulnerability in the following versions of HBS 3 Hybrid Backup Sync:

• QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later

• QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later

• QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later

• QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later

Recommendation:
To fix the vulnerability, we recommend updating HBS 3 Hybrid Backup Sync to the latest version.

Updating HBS 3 Hybrid Backup Sync:

1. Log on to QTS or QuTS hero as administrator.

2. Open the App Center and then click.
   A search box appears.

3. Type ‘HBS 3 Hybrid Backup Sync’ and then press ENTER.
   HBS 3 Hybrid Backup Sync appears in the search results.

4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your HBS 3 Hybrid Backup Sync is already up to date.

5. Click OK.
   The application is updated.

Acknowledgements: ZUSO APT
Revision history: V1.0 (April 22, 2021) – Published

Questions regarding this issue, contact the company.