Qnap Security Advisory | Bulletin ID: QSA-21-13
Concerning hard-coded credentials vulnerability in HBS 3 Hybrid Backup Sync
This is a Press Release edited by StorageNewsletter.com on April 30, 2021 at 2:31 pmQnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products. Use the following information and solutions to correct the security issues and vulnerabilities.
Hard-coded credentials vulnerability in HBS 3 Hybrid Backup Sync:
Release date: April 22, 2021 
Security ID: QSA-21-13 
Severity rating: Critical 
CVE identifier: CVE-2021-28799 
Affected products: Qnap NAS running HBS 3 Hybrid Backup Sync
Summary:
A hard-coded credentials vulnerability has been reported to affect the firm’s NAS running HBS 3 Hybrid Backup Sync. 
If exploited, the vulnerability allows remote attackers to log in to a device with the hard-coded credentials.
The company have already fixed this vulnerability in the following versions of HBS 3 Hybrid Backup Sync:
- 
QTS 4.5.2: HBS 3 Hybrid Backup Sync 16.0.0415 and later 
- 
QTS 4.3.6: HBS 3 Hybrid Backup Sync 3.0.210412 and later 
- 
QuTS hero h4.5.1: HBS 3 Hybrid Backup Sync 16.0.0419 and later 
- 
QuTScloud c4.5.1~c4.5.4: HBS 3 Hybrid Backup Sync 16.0.0419 and later 
Recommendation:
To fix the vulnerability, we recommend updating HBS 3 Hybrid Backup Sync to the latest version.
Updating HBS 3 Hybrid Backup Sync:
- 
Log on to QTS or QuTS hero as administrator. 
- 
Open the App Center and then click. 
 A search box appears.
- 
Type ‘HBS 3 Hybrid Backup Sync’ and then press ENTER. 
 HBS 3 Hybrid Backup Sync appears in the search results.
- 
Click Update. 
 A confirmation message appears.
 Note: The Update button is not available if your HBS 3 Hybrid Backup Sync is already up to date.
- 
Click OK. 
 The application is updated.
Acknowledgements: ZUSO APT 
Revision history: V1.0 (April 22, 2021) – Published
Questions regarding this issue, contact the company.










