Plateforme
other
Composant
hbs-3
Corrigé dans
3.0.210507
CVE-2021-28809 describes an improper access control vulnerability affecting legacy versions of QNAP HBS 3. Successful exploitation of this flaw could lead to complete operating system compromise, granting attackers significant control over affected systems. This vulnerability impacts HBS 3 versions up to and including v3.0.210507 running on QTS 4.3.6, 4.3.4, and 4.3.3. QNAP has released patches to address this issue in later versions.
The improper access control vulnerability in QNAP HBS 3 allows an attacker to bypass security mechanisms and gain unauthorized access to system resources. This could involve reading sensitive data, modifying system configurations, installing malware, or even taking complete control of the affected device. The potential blast radius is significant, as a compromised HBS 3 instance could serve as a pivot point for further attacks within the network. Given HBS 3's role in backup and data management, attackers could potentially exfiltrate sensitive data or disrupt critical business operations. While no direct precedent for exploitation of this specific vulnerability has been publicly reported, similar access control bypasses in other network-attached storage (NAS) devices have historically led to widespread data breaches and ransomware attacks.
CVE-2021-28809 was publicly disclosed on July 8, 2021. The vulnerability's criticality (CVSS score of 9.8) indicates a high probability of exploitation. While no public proof-of-concept (PoC) code has been released, the severity and nature of the vulnerability suggest that it could be targeted by threat actors. It is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any signs of active exploitation.
Organizations utilizing legacy QNAP HBS 3 installations, particularly those with shared hosting environments or those running older QTS versions, are at heightened risk. Environments where HBS 3 is exposed directly to the internet or lacks proper network segmentation are also particularly vulnerable.
• linux / server:
journalctl -u hbs3 | grep -i "error" -i "exception"• generic web:
curl -I http://<HBS3_IP>/ # Check for unexpected response codes or exposed directories• windows / supply-chain: (If HBS 3 is accessed via Windows)
Get-Process -Name hbs3 # Check if the process is running unexpectedlydisclosure
patch
Statut de l'Exploit
EPSS
0.58% (percentile 69%)
Vecteur CVSS
The primary mitigation for CVE-2021-28809 is to upgrade QNAP HBS 3 to version v3.0.210507 or later, depending on the QTS version in use (4.3.6, 4.3.4, or 4.3.3). If immediate upgrading is not possible, implement stricter access controls within HBS 3, limiting user privileges and restricting access to sensitive data. Network segmentation can also help isolate HBS 3 instances from other critical systems, reducing the potential impact of a successful attack. Consider implementing a Web Application Firewall (WAF) to filter malicious traffic targeting HBS 3. After upgrading, verify the fix by attempting to access restricted resources with a non-privileged user account; access should be denied.
Mettez à jour HBS 3 à la version 3.0.210507 ou ultérieure pour QTS 4.3.6, ou à la version 3.0.210506 ou ultérieure pour QTS 4.3.4 et QTS 4.3.3. Cela corrigera la vulnérabilité de contrôle d'accès incorrect.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2021-28809 is a critical vulnerability in QNAP HBS 3 allowing unauthorized access and potential OS compromise. It affects versions up to v3.0.210507.
You are affected if you are running QNAP HBS 3 versions v3.0.210507 or earlier on QTS 4.3.6, 4.3.4, or 4.3.3.
Upgrade to HBS 3 v3.0.210507 or later, depending on your QTS version. Implement stricter access controls and network segmentation as interim measures.
While no active exploitation has been publicly confirmed, the vulnerability's severity suggests a potential for exploitation.
Refer to the QNAP Security Bulletin: https://www.qnap.com/security/advisory/20210708-hbs-3
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.