Improper Authorization Vulnerability in HBS 3 (Hybrid Backup Sync)

Summary

An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. )

If exploited, the vulnerability allows remote attackers to log in to a device.

We have already fixed this vulnerability in the following versions of HBS 3:

• QTS 4.5.2: HBS 3 v16.0.0415 and later
• QTS 4.3.6: HBS 3 v3.0.210412 and later
• QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
• QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
• QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later

QNAP NAS running HBS 2 and HBS 1.3 are not affected.

Recommendation

To fix the vulnerability, we recommend updating HBS 3 to the latest version.

Updating HBS 3

1. Log on to QTS or QuTS hero as administrator.
2. Open the App Center and then click .
   A search box appears.
3. Type “HBS 3 Hybrid Backup Sync” and then press ENTER.
   HBS 3 appears in the search results.
4. Click Update.
   A confirmation message appears.
   Note: The Update button is not available if your HBS 3 is already up to date.
5. Click OK.
   The application is updated.