jbaines-r7's comment on CVE-2021-28799

Description

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .

Add Assessment

ccondon-r7 (282)

October 11, 2021 2:52pm UTC (3 years ago)•Edited 3 years ago

Ratings

Attacker Value

Very High

Exploitability

Very High

Easy to weaponize Gives privileged access

Technical Analysis

Both Palo Alto Networks and Netlab360 (ostensibly, since Netlab360 doesn’t specify any CVEs) have write-ups on widespread attacks leveraging this bug starting in April and going through at least August, including ransomware campaigns. QNAP’s advisory is pretty sparse, but from the news coverage it sounds like this was a hard-coded creds bug that allowed an attacker to log into a vulnerable device (which evidently QLocker and ech0raix ransomware operators did). Yikes—hopefully folks have patched by now.

See More &1 replySee Less

jbaines-r7 (77) July 14, 2022 7:57pm UTC (2 years ago)•Edited 2 years ago

According to the QNAP forums, where it appears this vulnerability was first disclosed by a user, this vulnerability is hard-coded credentials affecting the SSH interface. The vulnerability only works when vulnerable versions of the app HBS 3 Hybrid Backup Sync is installed. The credentials are walter:walter.

Although more than a year old now, Greynoise’s QNAP walter SSH Backdoor Attempt tag notes that exploitation attempts are ongoing.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

qnap

Products

hybrid backup sync

Exploited in the Wild

Reported by:

gwillcox-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
News Article or Blog (https://therecord.media/new-qlocker-ransomware-is-hitting-hundreds-of-qnap-nas-devices-per-day/)

Reported: April 23, 2021 9:33pm UTC (3 years ago) • Edited 2 years ago

ccondon-r7 indicated source as News Article or Blog (https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/)

Reported: October 11, 2021 2:40pm UTC (3 years ago)

cwyre-r7 indicated source as Other: Ransomware (https://www.bleepingcomputer.com/news/security/qlocker-ransomware-returns-to-target-qnap-nas-devices-worldwide/)

Reported: August 23, 2024 4:57pm UTC (2 months ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2022/03/31/cisa-adds-seven-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:28am UTC (1 week ago)

References

Canonical

CVE-2021-28799 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28799)

Miscellaneous

https://www.qnap.com/en/security-advisory/QSA-21-13

Rapid7

Very High

CVE-2021-28799

Very High

Very High

None

None

Network

CVE-2021-28799

Description