CVE-2021-28799
📋 TL;DR
CVE-2021-28799 is an improper authorization vulnerability in QNAP's HBS 3 backup software that allows remote attackers to bypass authentication and log into affected NAS devices. This affects QNAP NAS systems running vulnerable versions of HBS 3 on multiple QTS and QuTS platforms. The vulnerability does not affect earlier HBS 2 or HBS 1.3 versions.
💻 Affected Systems
- QNAP NAS with HBS 3 (Hybrid Backup Sync 3)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the NAS device, allowing attackers to access, modify, or delete all stored data, install malware, pivot to other network resources, and potentially encrypt files for ransomware attacks.
Likely Case
Unauthorized access to sensitive files and backups stored on the NAS, potential data theft or destruction, and establishment of persistence for further attacks.
If Mitigated
Limited impact if device is isolated from internet, has strong network segmentation, and additional authentication layers, though local network compromise remains possible.
🎯 Exploit Status
This vulnerability is listed in CISA's Known Exploited Vulnerabilities Catalog, confirming active exploitation. The CVSS 10.0 score indicates trivial exploitation with maximum impact.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: HBS 3 v16.0.0415 or later on QTS 4.5.2; v3.0.210412 or later on QTS 4.3.6; v3.0.210411 or later on QTS 4.3.4/4.3.3; v16.0.0419 or later on QuTS hero h4.5.1 and QuTScloud c4.5.1~c4.5.4
Vendor Advisory: https://www.qnap.com/en/security-advisory/QSA-21-13
Restart Required: Yes
Instructions:
1. Log into QNAP NAS web interface. 2. Go to App Center. 3. Check for HBS 3 updates. 4. Install the latest version. 5. Restart the NAS if prompted or required.
🔧 Temporary Workarounds
Disable HBS 3 Service
linuxTemporarily disable the HBS 3 service if patching cannot be immediately performed
ssh admin@nas-ip
sudo /etc/init.d/hbs3.sh stop
Network Isolation
linuxBlock external access to NAS management interfaces and HBS ports
iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
🧯 If You Can't Patch
- Immediately disconnect vulnerable devices from the internet and restrict network access to trusted IPs only
- Implement multi-factor authentication and strong access controls for any remaining NAS access
🔍 How to Verify
Check if Vulnerable:
Check HBS 3 version in QNAP App Center or via SSH: cat /etc/config/hbs3.conf | grep versionCheck Version:
ssh admin@nas-ip 'cat /etc/config/hbs3.conf | grep version'Verify Fix Applied:
Verify HBS 3 version meets patched requirements and test authentication requirements for HBS access📡 Detection & Monitoring
Log Indicators:
- Unauthenticated access to HBS endpoints
- Failed login attempts followed by successful access without proper credentials
- Unexpected admin logins from unfamiliar IPs
Network Indicators:
- Unusual traffic to HBS service ports (typically 8080, 443) from external IPs
- Multiple authentication bypass attempts
SIEM Query:
source="qnap-nas" AND (event="authentication bypass" OR "HBS" AND "unauthorized access")