CVE-2021-28799
Published on May 13, 2021
Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Known Exploited Vulnerability
This QNAP NAS Improper Authorization Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device.
The following remediation steps are recommended / required by April 21, 2022: Apply updates per vendor instructions.
Vulnerability Analysis
CVE-2021-28799 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. This vulnerability is known to be actively exploited by threat actors in an automatable fashion. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2021-28799 has been classified to as an AuthZ vulnerability or weakness.
Affected Versions
QNAP Systems Inc. HBS 3:- Version unspecified and below v16.0.0415 is affected.
- Version unspecified and below v3.0.210412 is affected.
- Version unspecified and below v3.0.210411 is affected.
- Version unspecified and below v3.0.210411 is affected.
- Version unspecified and below v16.0.0419 is affected.
- Version unspecified and below v16.0.0419 is affected.
- Version all versions is unaffected.
- Version all versions is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.