Security ID : QSA-21-19
Improper Access Control Vulnerability in Legacy HBS 3 (Hybrid Backup Sync)
Release date : July 6, 2021
CVE identifier : CVE-2021-28809
Affected products: QNAP NAS running HBS 3
Severity
Critical
Status
Resolved
Summary
An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3 (Hybrid Backup Sync). If exploited, this vulnerability allows attackers to compromise the security of the operating system.
We have already fixed this vulnerability in the following versions of HBS 3:
- HBS 3 v18.0.1012 and later
Recommendation
To fix the vulnerability, we recommend updating HBS 3 to the latest version.
Updating HBS 3
- Log on to QTS or QuTS hero as administrator.
- Open the App Center and then click
.
A search box appears. - Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
HBS 3 appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your HBS 3 is already up to date. - Click OK.
The application is updated.
Acknowledgements: Ta-Lun Yen of TXOne IoT/ICS Security Research Labs of Trend Micro working with Trend Micro’s Zero Day Initiative
Revision History: V1.0 (July 6, 2021) - Published
