Threat Encyclopedia

QNAP.NAS.HBS.3.Authentication.Bypass

description-logoDescription

This indicates an attack attempt to exploit an Authentication Bypass Vulnerability in QNAP NAS running HBS 3 (Hybrid Backup Sync).
The vulnerability is due to a hard-coded session ID. A remote, unauthenticated attacker can exploit this by sending a crafted HTTP request to the target server. Successful exploitation of this vulnerability could lead to arbitrary command execution within the context of the application.

affected-products-logoAffected Products

This issue affects: QNAP Systems Inc. HBS 3 versions prior to:
QTS 4.5.2: HBS 3 v16.0.0415
QTS 4.3.6: HBS 3 v3.0.210412
QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411
QuTS hero h4.5.1: HBS 3 v16.0.0419
QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419

Impact

System Compromise: Remote attackers can gain control of vulnerable systems.

recomended-action-logoRecommended Actions

Apply the most recent upgrade or patch from the vendor.
https://www.qnap.com/en/security-advisory/QSA-21-13

CVE References

CVE-2021-28799