CVE-2021-28799
Published: 13 May 2021
Summary
CVE-2021-28799 is a critical-severity Improper Authorization (CWE-285) vulnerability in Qnap Hybrid Backup Sync. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
An improper authorization vulnerability affects QNAP NAS devices running HBS 3 (Hybrid Backup Sync) versions prior to v16.0.0415 on QTS 4.5.2, prior to v3.0.210412 on QTS 4.3.6, prior to v3.0.210411 on QTS 4.3.4 and 4.3.3, and prior to v16.0.0419 on QuTS hero h4.5.1 and QuTScloud c4.5.1 through c4.5.4. The flaw is absent from HBS 2 and HBS 1.3. Successful exploitation permits remote attackers to authenticate to the device without valid credentials.
Attackers require no authentication or user interaction and can achieve full device login over the network, resulting in complete compromise of confidentiality, integrity, and availability as reflected in the CVSS 10.0 score.
QNAP has published advisory QSA-21-13 detailing the affected builds and corrective updates. The vulnerability also appears in CISA's catalog of known exploited vulnerabilities, confirming observed in-the-wild activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-15455
Vulnerability details
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions…
more
prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
- CWE(s)
- KEV Date Added
- 31 March 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization decisions so that remote attackers cannot obtain a login session on HBS 3 without presenting valid credentials.
Requires successful identification and authentication of users before allowing device access, blocking the unauthenticated login path exploited by CVE-2021-28799.
Restricts and authorizes remote connections to the NAS, limiting the network attack surface that the improper-authorization flaw relies on.