CVE-2021-28799

Name of the Vulnerable Software and Affected Versions HBS 3 versions prior to v16.0.0415 on QTS 4.5.2 HBS 3 versions prior to v3.0.210412 on QTS 4.3.6 HBS 3 versions prior to v3.0.210411 on QTS 4.3.4 HBS 3 versions prior to v3.0.210411 on QTS 4.3.3 HBS 3 versions prior to v16.0.0419 on QuTS hero h4.5.1 HBS 3 versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4

Description The issue is related to an improper authorization vulnerability in QNAP NAS running HBS 3, which can allow remote attackers to log in to a device. This vulnerability has been exploited in real-world incidents, including a ransomware campaign known as Qlocker, which targeted QNAP NAS devices. The campaign started in April 2021 and allowed attackers to encrypt files on the devices, demanding a ransom in exchange for the decryption key. A new version of the Qlocker ransomware, QLocker2, was discovered in January, which also exploits this vulnerability. It is estimated that hundreds of devices have been affected by these campaigns.

Recommendations For HBS 3 versions prior to v16.0.0415 on QTS 4.5.2, update to version v16.0.0415 or later. For HBS 3 versions prior to v3.0.210412 on QTS 4.3.6, update to version v3.0.210412 or later. For HBS 3 versions prior to v3.0.210411 on QTS 4.3.4, update to version v3.0.210411 or later. For HBS 3 versions prior to v3.0.210411 on QTS 4.3.3, update to version v3.0.210411 or later. For HBS 3 versions prior to v16.0.0419 on QuTS hero h4.5.1, update to version v16.0.0419 or later. For HBS 3 versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4, update to version v16.0.0419 or later. As a temporary workaround, consider restricting access to the HBS 3 application until a patch is available.