Platform
other
Component
hbs-3
Fixed in
3.0.210507
CVE-2021-28809 describes an improper access control vulnerability affecting legacy versions of QNAP HBS 3. Successful exploitation of this flaw could lead to complete operating system compromise, granting attackers significant control over affected systems. This vulnerability impacts HBS 3 versions up to and including v3.0.210507 running on QTS 4.3.6, 4.3.4, and 4.3.3. QNAP has released patches to address this issue in later versions.
The improper access control vulnerability in QNAP HBS 3 allows an attacker to bypass security mechanisms and gain unauthorized access to system resources. This could involve reading sensitive data, modifying system configurations, installing malware, or even taking complete control of the affected device. The potential blast radius is significant, as a compromised HBS 3 instance could serve as a pivot point for further attacks within the network. Given HBS 3's role in backup and data management, attackers could potentially exfiltrate sensitive data or disrupt critical business operations. While no direct precedent for exploitation of this specific vulnerability has been publicly reported, similar access control bypasses in other network-attached storage (NAS) devices have historically led to widespread data breaches and ransomware attacks.
CVE-2021-28809 was publicly disclosed on July 8, 2021. The vulnerability's criticality (CVSS score of 9.8) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been released, the severity and nature of the vulnerability suggest that it could be targeted by threat actors. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Exploit Status
EPSS
0.58% (69% percentile)
CVSS Vector
The primary mitigation for CVE-2021-28809 is to upgrade QNAP HBS 3 to version v3.0.210507 or later, depending on the QTS version in use (4.3.6, 4.3.4, or 4.3.3). If immediate upgrading is not possible, implement stricter access controls within HBS 3, limiting user privileges and restricting access to sensitive data. Network segmentation can also help isolate HBS 3 instances from other critical systems, reducing the potential impact of a successful attack. Consider implementing a Web Application Firewall (WAF) to filter malicious traffic targeting HBS 3. After upgrading, verify the fix by attempting to access restricted resources with a non-privileged user account; access should be denied.
Update HBS 3 to version 3.0.210507 or later for QTS 4.3.6, or to version 3.0.210506 or later for QTS 4.3.4 and QTS 4.3.3. This will resolve the improper access control vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-28809 is a critical vulnerability in QNAP HBS 3 allowing unauthorized access and potential OS compromise. It affects versions up to v3.0.210507.
You are affected if you are running QNAP HBS 3 versions v3.0.210507 or earlier on QTS 4.3.6, 4.3.4, or 4.3.3.
Upgrade to HBS 3 v3.0.210507 or later, depending on your QTS version. Implement stricter access controls and network segmentation as interim measures.
While no active exploitation has been publicly confirmed, the vulnerability's severity suggests a potential for exploitation.
Refer to the QNAP Security Bulletin: https://www.qnap.com/security/advisory/20210708-hbs-3
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.