CVE-2021-28809
Missing Authentication for Critical Function in RTRR Server in HBS3
In short
The HBS 3 backup server in certain QNAP versions lacks proper authentication checks, allowing attackers to access critical functions without credentials and compromise the operating system.
Technical detail
An improper access control vulnerability in the RTRR Server component of HBS 3 fails to enforce authentication for critical administrative functions (CWE-284, CWE-306), enabling unauthenticated remote attackers to execute privileged operations and achieve OS-level compromise. The vulnerability affects legacy QTS versions and was remediated in HBS 3 v3.0.210506 or later.
Summary generated and translated by AI from the official description.
An improper access control vulnerability has been reported to affect certain legacy versions of HBS 3. If exploited, this vulnerability allows attackers to compromise the security of the operating system.QNAP have already fixed this vulnerability in the following versions of HBS 3: QTS 4.3.6: HBS 3 v3.0.210507 and later QTS 4.3.4: HBS 3 v3.0.210506 and later QTS 4.3.3: HBS 3 v3.0.210506 and later
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
QNAP Systems Inc. · HBS 3Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →