==================================================================== CERT-Renater Note d'Information No. 2021/VULN321 _____________________________________________________________________ DATE : 14/06/2021 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running QNAP NAS Helpdesk versions prior to 3.0.4. ===================================================================== https://www.qnap.com/fr-fr/security-advisory/qsa-21-25 _____________________________________________________________________ Improper Access Control Vulnerability in Helpdesk Release date: June 11, 2021 Security ID: QSA-21-25 Severity: High CVE identifier: CVE-2021-28814 Affected products: All QNAP NAS Status: Resolved Summary An improper access control vulnerability has been reported to affect QNAP NAS. If exploited, this vulnerability allows remote attackers to compromise the security of the software. QNAP has already fixed this issue in Helpdesk 3.0.4 and later versions. Recommendation To fix the vulnerability, we strongly recommend updating Helpdesk to the latest version. Updating Helpdesk Log on to QTS or QuTS hero as administrator. Open the App Center, and then click . A search box appears. Type “Helpdesk”, and then press ENTER. The Helpdesk application appears in the search results. Click Update. A confirmation message appears. Note: The Update button is not available if you are using the latest version. Click OK. The application is updated. Acknowledgements: Thomas FADY Revision History: V1.1 (June 14, 2020) - A minor modification in Recommendation V1.0 (June 11, 2020) - Published ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================