Qnap Security Advisory Bulletin ID: QSA-21-12 and QSA-21-14

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use following information and solutions to correct the security issues and vulnerabilities.

Advisory includes following:

Qlocker ransomware
Release date: May 21, 2021
Security ID: QSA-21-12
Severity: Critical
Affected products: Qnap NAS running HBS 3

Summary
A ransomware campaign targeting company’s NAS began the week of April 19th, 2021. The ransomware known as Qlocker exploits CVE-2021-28799 to attack NAS running certain versions of HBS 3 (Hybrid Backup Sync).

Once a NAS is infected, the ransomware moves files on the NAS into password-protected 7z archives. Snapshots are also removed, and users are left with a !!!READ_ME.txt ransom note in each affected folder. To extract the files from the archives, victims would need to enter a password known only to the attacker.

Company have already fixed related vulnerability in following versions of HBS 3:

QTS 4.5.2: HBS 3 v16.0.0415 and later
QTS 4.3.6: HBS 3 v3.0.210412 and later
QTS 4.3.3 and 4.3.4: HBS 3 v3.0.210411 and later
QuTS hero h4.5.1: HBS 3 v16.0.0419 and later
QuTScloud c4.5.1~c4.5.4: HBS 3 v16.0.0419 and later

Firm’s NAS running HBS 2 and HBS 1.3 are not affected.

More information

Relative path traversal vulnerability in QTS and QuTS hero NAS OS
Release date: May 21, 2021
Security ID: QSA-21-14
Severity: High
CVE identifier: CVE-2021-28798
Affected products: All Qnap NAS

Summary
A relative path traversal vulnerability has been reported to affect company’s NAS running QTS and QuTS hero. If exploited, this vulnerability allows attackers to modify files that impact system integrity.

Company have already fixed vulnerability in following versions: