QNAP fixes critical bug in NAS backup, disaster recovery app

Taiwan-based network-attached storage (NAS) maker QNAP has addressed a critical security vulnerability enabling attackers to compromise vulnerable NAS devices' security.

The improper access control vulnerability tracked as CVE-2021-28809 was found by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs in HBS 3 Hybrid Backup Sync, QNAP's disaster recovery and data backup solution.

The security issue is caused by buggy software that does not correctly restrict attackers from gaining access to system resources allowing them escalate privileges, execute commands remotely, or read sensitive info without authorization.

QNAP says that the security flaw is already fixed in the following HBS versions and advises customers to update the application to the latest released version:

  • QTS 4.3.6: HBS 3 v3.0.210507 and later
  • QTS 4.3.4: HBS 3 v3.0.210506 and later
  • QTS 4.3.3: HBS 3 v3.0.210506 and later

To update HBS on your NAS device, you have to log into QTS or QuTS hero as administrator, search for "HBS 3 Hybrid Backup Sync" in the App Center, and then click Update and OK to update the app (the Update option will not be available if HBS is already up to date.)

However, while QNAP published the security advisory announcing that CVE-2021-28809 is fixed today, the app's release notes do not list any security updates since May 14th, 2021.

According to the company, QNAP NAS devices running QTS 4.5.x with HBS 3 v16.x are not affected by this security vulnerability and are not exposed to attacks.

HBS backdoor account exploited by Qlocker ransomware

QNAP fixed another critical security vulnerability found in the HBS 3 Hybrid Backup Sync backup and disaster recovery app in April.

The backdoor account flaw, initially described by the company as "hardcoded credentials" and then as an "improper authorization," provided a backdoor account that allowed Qlocker ransomware operators to encrypt Internet-exposed Network Attached Storage (NAS) devices.

Starting with at least April 19th, Qlocker began targeting QNAP devices as part of a massive campaign, deploying ransomware payloads that moved victims' files in password-protected 7zip archives and asked for ransoms.

As BleepingComputer reported, the ransomware gang made around $260,000 in just five days by demanding ransoms of 0.01 bitcoins (worth roughly $500 at the time).

The same month, QNAP urged their customers to secure their NAS devices from Agelocker ransomware attacks targeting their data and, two weeks later, from an eCh0raix ransomware campaign.

QNAP devices were previously attacked by eCh0raix ransomware (also known as QNAPCrypt) during June 2019 and June 2020.

Customers who want to secure their NAS devices from incoming attacks are advised to follow these best practices for enhancing NAS security.

Related Articles:

QNAP warns of critical auth bypass flaw in its NAS devices

Over 92,000 exposed D-Link NAS devices have a backdoor account

WP Automatic WordPress plugin hit by millions of SQL injection attacks

Maximum severity Flowmon bug has a public exploit, patch now

Critical Forminator plugin flaw impacts over 300k WordPress sites