Qnap Security Advisory | Bulletin ID: QSA-21-19

QNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Improper access control vulnerability in HBS 3 (Hybrid Backup Sync)
Release date: July 6, 2021
Security ID: QSA-21-19
Severity rating: Critical
CVE identifier: CVE-2021-28809
Affected products: QNAP NAS running HBS 3

Summary
An improper access control vulnerability has been reported to affect certain versions of HBS 3 (Hybrid Backup Sync). If exploited, this vulnerability allows attackers to compromise the security of the operating system.

QNAP have already fixed vulnerability in following versions of HBS 3:

• QTS 4.3.6: HBS 3 v3.0.210507 and later

• QTS 4.3.4: HBS 3 v3.0.210506 and later

• QTS 4.3.3: HBS 3 v3.0.210506 and later

NAS running QTS 4.5.x with HBS 3 v16.x are not affected.

Recommendation
To fix the vulnerability, we recommend updating HBS 3 to the latest version.

Updating HBS 3

1. Log on to QTS or QuTS hero as administrator.

2. Open the App Center and then click on
   
   A search box appears.

3. Type ‘HBS 3 Hybrid Backup Sync’ and then press ENTER.
   HBS 3 appears in the search results.

4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your HBS 3 is already up to date.

5. Click OK.
   The application is updated.

Acknowledgements: Ta-Lun Yen, TXOne IoT/ICS Security Research Labs of Trend Micro, Inc. working with Trend Micro’s Zero Day Initiative

Revision History: V1.0 (July 6, 2021) – Published

Questions regarding this issue