CVE-2021-28799: QNAP NAS Improper Authorization Vulnerability
First published: Thu Apr 22 2021(Updated: )
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Credit: security@qnapsecurity.com.tw security@qnapsecurity.com.tw security@qnapsecurity.com.tw
| Affected Software | Affected Version | How to fix |
|---|---|---|
| QNAP NAS | <16.0.0415 | |
| QNAP QTS | =4.5.2 | |
| QNAP NAS | <3.0.210412 | |
| QNAP QTS | =4.3.6 | |
| QNAP NAS | <3.0.210411 | |
| QNAP QTS | =4.3.3 | |
| QNAP QTS | =4.3.4 | |
| QNAP NAS | <16.0.0419 | |
| QNAP QuTS hero | =h4.5.1 | |
| QNAP QuTScloud | >=c4.5.1<=c4.5.4 | |
| QNAP QTS | =4.3.6 | |
| QNAP Network Attached Storage (NAS) | ||
| All of | ||
| Qnap Hybrid Backup Sync | <16.0.0415 | |
| QNAP QTS | =4.5.2 | |
| All of | ||
| Qnap Hybrid Backup Sync | <3.0.210412 | |
| QNAP QTS | =4.3.6 | |
| All of | ||
| Qnap Hybrid Backup Sync | <3.0.210411 | |
| Any of | ||
| QNAP QTS | =4.3.3 | |
| QNAP QTS | =4.3.4 | |
| All of | ||
| Qnap Hybrid Backup Sync | <16.0.0419 | |
| QNAP QuTS hero | =h4.5.1 | |
| All of | ||
| Qnap Hybrid Backup Sync | <16.0.0419 | |
| QNAP QuTScloud | >=c4.5.1<=c4.5.4 |
Remedy
QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.5.2: HBS 3 v16.0.0415 and later QTS 4.3.6: HBS 3 v3.0.210412 and later QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later QuTS hero h4.5.1: HBS 3 v16.0.0419 and later QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-28799?
CVE-2021-28799 is an improper authorization vulnerability affecting QNAP NAS running HBS 3 (Hybrid Backup Sync).
How does CVE-2021-28799 impact QNAP NAS?
If exploited, CVE-2021-28799 allows remote attackers to log in to a device.
Which versions of QNAP HBS 3 are affected by CVE-2021-28799?
CVE-2021-28799 affects QNAP HBS 3 versions prior to v16.0.0415.
Are the QNAP QTS versions vulnerable to CVE-2021-28799 as well?
QNAP QTS versions are not vulnerable to CVE-2021-28799.
How severe is CVE-2021-28799?
CVE-2021-28799 has a severity rating of 9.8 (critical).
- agent/type
- agent/title
- agent/weakness
- agent/description
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/first-publish-date
- agent/event
- exploited/true
- ransomware/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/references
- collector/nvd-cve
- source/NVD
- agent/author
- agent/softwarecombine
- agent/tags
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-50388
- alias/CVE-2021-28799
- alias/CVE-2020-36195
- vendor/qnap
- canonical/qnap nas
- canonical/qnap qts
- version/qnap qts/4.5.2
- version/qnap qts/4.3.6
- version/qnap qts/4.3.3
- version/qnap qts/4.3.4
- canonical/qnap quts hero
- version/qnap quts hero/h4.5.1
- canonical/qnap qutscloud
- version/qnap qutscloud/c4.5.1
- version/qnap qutscloud/c4.5.4
- canonical/qnap network attached storage (nas)
- canonical/qnap hybrid backup sync