====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN348
_____________________________________________________________________

DATE                : 07/07/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QNAP NAS running HBS 3 versions
                         prior to 3.0.210507, 3.0.210506.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-21-19
_____________________________________________________________________


Improper Access Control Vulnerability in Legacy HBS 3 (Hybrid Backup
Sync)

    Release date: July 6, 2021
    Security ID: QSA-21-19
    Severity: Critical
    CVE identifier: CVE-2021-28809
    Affected products: QNAP NAS running HBS 3
    Status: Resolved


Summary

An improper access control vulnerability has been reported to affect
certain legacy versions of HBS 3 (Hybrid Backup Sync). If exploited,
this vulnerability allows attackers to compromise the security of the
operating system.

We have already fixed this vulnerability in the following versions of
HBS 3:

    QTS 4.3.6: HBS 3 v3.0.210507 and later
    QTS 4.3.4: HBS 3 v3.0.210506 and later
    QTS 4.3.3: HBS 3 v3.0.210506 and later


QNAP NAS running QTS 4.5.x with HBS 3 v16.x are not affected.


Recommendation

To fix the vulnerability, we recommend updating HBS 3 to the latest
version.

Updating HBS 3

    Log on to QTS or QuTS hero as administrator.
    Open the App Center and then click .
    A search box appears.
    Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
    HBS 3 appears in the search results.
    Click Update.
    A confirmation message appears.
    Note: The Update button is not available if your HBS 3 is already up
      to date.
    Click OK.
    The application is updated.


Acknowledgements: Ta-Lun Yen of TXOne IoT/ICS Security Research Labs of
Trend Micro working with Trend Micro’s Zero Day Initiative

Revision History: V1.0 (July 6, 2021) - Published


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================