Very High
CVE-2021-28799
CVE-2021-28799
Description
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3.0.210412 on QTS 4.3.6; versions prior to v3.0.210411 on QTS 4.3.4; versions prior to v3.0.210411 on QTS 4.3.3; versions prior to v16.0.0419 on QuTS hero h4.5.1; versions prior to v16.0.0419 on QuTScloud c4.5.1~c4.5.4. This issue does not affect: QNAP Systems Inc. HBS 2 . QNAP Systems Inc. HBS 1.3 .
Add Assessment
Technical Analysis
Both Palo Alto Networks and Netlab360 (ostensibly, since Netlab360 doesn’t specify any CVEs) have write-ups on widespread attacks leveraging this bug starting in April and going through at least August, including ransomware campaigns. QNAP’s advisory is pretty sparse, but from the news coverage it sounds like this was a hard-coded creds bug that allowed an attacker to log into a vulnerable device (which evidently QLocker and ech0raix ransomware operators did). Yikes—hopefully folks have patched by now.
CVSS V3 Severity and Metrics
General Information
Vendors
- qnap
Products
- hybrid backup sync
Exploited in the Wild
References
Miscellaneous
According to the QNAP forums, where it appears this vulnerability was first disclosed by a user, this vulnerability is hard-coded credentials affecting the SSH interface. The vulnerability only works when vulnerable versions of the app HBS 3 Hybrid Backup Sync is installed. The credentials are
walter:walter.Although more than a year old now, Greynoise’s
QNAP walter SSH Backdoor Attempttag notes that exploitation attempts are ongoing.