QNAP Critical Flaw

QNAP Systems, Inc. has resolved a critical vulnerability that could be exploited by attackers to compromise vulnerable NAS devices security.

The security advisory published by the company says, “An improper access control vulnerability tracked as (CVE-2021-28809) has been reported to affect certain legacy versions of HBS 3 (Hybrid Backup Sync).”

The vulnerability was reported to the vendor by Ta-Lun Yen of TXOne IoT/ICS Security Research Labs. If exploited, this could allow attackers to compromise the security of the operating system.

The critical flaw has been fixed in the following versions of HBS 3:

  • QTS 4.3.6: HBS 3 v3.0.210507 and later
  • QTS 4.3.4: HBS 3 v3.0.210506 and later
  • QTS 4.3.3: HBS 3 v3.0.210506 and later

QNAP NAS running QTS 4.5.x with HBS 3 v16.x are not affected.

The vendor advised its customers to update the HBS 3 disaster recovery app running on their Network Attached Storage (NAS) devices to prevent Qlocker ransomware infections during May.

Researchers also warned of a new strain of ransomware during April, which is called Qlocker that was infecting hundreds of QNAP NAS devices. The threat actors behind the attacks are exploiting an improper authorization vulnerability, tracked as CVE-2021-28799, that could allow them to log in to a NAS device.

“A ransomware campaign targeting QNAP NAS began the week of April 19th, 2021. The ransomware is known as Qlocker exploits CVE-2021-28799 to attack QNAP NAS running certain versions of HBS 3 (Hybrid Backup Sync).” reads the security advisory published by the vendor.

According to information provided by Michael Gillespie, the creator of ransomware identification service ID-Ransomware, the number of infections has shot up to hundreds per day.

Recently, in the previous week, the vendor warned customers of threat actors that are targeting its Network Attached Storage (NAS) devices with eCh0raix ransomware attacks and exploiting a Roon Server zero-day vulnerability. QNAP also warned of an ongoing wave of AgeLocker ransomware attacks on their NAS devices.

Therefore QNAP systems recommend all its customers update HBS 3 to the latest version in which the code security has been enhanced.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.