QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

Improper Access Control Vulnerability in HBS 3 (Hybrid Backup Sync)

Release date: July 6, 2021
Security ID: QSA-21-19
Severity rating: Critical
CVE identifier: CVE-2021-28809
Affected products: QNAP NAS running HBS 3

Summary

An improper access control vulnerability has been reported to affect certain versions of HBS 3 (Hybrid Backup Sync). If exploited, this vulnerability allows attackers to compromise the security of the operating system.

We have already fixed this vulnerability in the following versions of HBS 3:

• QTS 4.3.6: HBS 3 v3.0.210507 and later
• QTS 4.3.4: HBS 3 v3.0.210506 and later
• QTS 4.3.3: HBS 3 v3.0.210506 and later

QNAP NAS running QTS 4.5.x with HBS 3 v16.x are not affected.

Recommendation

To fix the vulnerability, we recommend updating HBS 3 to the latest version.

Updating HBS 3

1. Log on to QTS or QuTS hero as administrator.
2. Open the App Center and then click .
   A search box appears.
3. Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
   HBS 3 appears in the search results.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your HBS 3 is already up to date.
5. Click OK.
   The application is updated.

Acknowledgements: Ta-Lun Yen of TXOne IoT/ICS Security Research Labs of Trend Micro working with Trend Micro’s Zero Day Initiative
Revision History: V1.0 (July 6, 2021) – Published If you have any questions regarding this issue, please contact us at https://www.qnap.com/go/support-ticket/.