![\"Critical](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/qnap-fixed-nas-backdoor-image1.jpg\")
<\/figure><\/div>\n\n\n\nThis entire vulnerability is executed with the help of a buggy application, which is not capable to revoke unauthorized access and permits the attackers to runs malicious commands, establish remote code or escalate privileges while reading the confidential data without the user authorization.<\/p><\/p>\n\n\n\n
According to the organization QNAP, the vulnerability is fixed in the following version of HBS and the organization also advised the users to update the application and install the latest published versions listed below;<\/p><\/p>\n\n\n\n
- QTS 4.3.6: HBS 3 v3.0.21507 and later<\/strong><\/li>
- QTS 4.3.4: HBS 3 v3.0.21506 and later<\/strong><\/li>
- QTS 4.3.3: HBS 3 v3.0.21506 and later<\/strong><\/li><\/ul>\n\n\n\n
Whereas, the organization also released the security advisory that indicated the bug which was tracked as CVE-2021-28809 is fixed and they published some points that were not listed in any security update before 14th May 2021.<\/p><\/p>\n\n\n\n
As per the QNAP NAS, the devices that executed QTS 4.5.x with HBS 3 v16.x are still not affected by the security flaw and are not exposed by these types of attacks.<\/p><\/p>\n\n\n\n
Another Backdoor that Exploits Qlocker Ransomware<\/strong><\/h2>\n\n\n\n
The organization also fixed another high-vulnerable security bug found in April in HBS3 Hybrid Backup and Disaster Recovery application.<\/p><\/p>\n\n\n\n
This backdoor bug is categorized by the organization as Hardcoded Credentials <\/strong>and after some time it is known for Improper Authorization. <\/strong>The backdoor also permits the Qlocker ransomware to encrypt Internet exposed NAS devices.<\/p><\/p>\n\n\n\n
On 19th April, Qlocker starts targeting the QNAP devices that linked with tremendous campaigns that deploy the ransomware payloads and transfer the user’s protected files and demand ransoms.<\/p><\/p>\n\n\n\n
According to the report, the ransomware gang makes around $260,000 only in 5 days by taking the ransomware in bitcoins which is 0.01 bitcoin. After that, the organization aware its users secure their NAS devices from these Agelocker ransomware attacks that steal their confidential data and also from the echo rain ransomware campaign attacks. <\/p><\/p>\n\n\n\n
The echo rain ransomware attacked the QNAP devices between June 2019 and June 2020. The users are required to secure their devices from these attacks by following the best methods to improve the security.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
Critical access control bug discovered by security researcher tracked as CVE-2021-28809, found in QNAP\u2019s disaster recovery or data backup solution application. A Taiwan-based organization QNAP, network-attached storage (NAS) addressed this security bug that assists the attackers to infect vulnerable NAS security devices.\u00a0 This entire vulnerability is executed with the help of a buggy application, which […]<\/p>\n","protected":false},"author":2,"featured_media":2407,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[15],"tags":[],"yoast_head":"\n
[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"Critical access control bug discovered by security researcher tracked as CVE-2021-28809, found in QNAP\u2019s disaster recovery or data backup solution application. A Taiwan-based organization QNAP, network-attached storage (NAS) addressed this security bug that assists the attackers to infect vulnerable NAS security devices.\u00a0 This entire vulnerability is executed with the help of a buggy application, which […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-06T11:04:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-06T11:04:44+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/qnap-fixed-nas-backdoor-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application\",\"datePublished\":\"2021-07-06T11:04:42+00:00\",\"dateModified\":\"2021-07-06T11:04:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/\"},\"wordCount\":390,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Infosec News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/\",\"url\":\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/\",\"name\":\"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-07-06T11:04:42+00:00\",\"dateModified\":\"2021-07-06T11:04:44+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/","og_locale":"en_US","og_type":"article","og_title":"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application - Xiarch Solutions Private Limited","og_description":"Critical access control bug discovered by security researcher tracked as CVE-2021-28809, found in QNAP\u2019s disaster recovery or data backup solution application. A Taiwan-based organization QNAP, network-attached storage (NAS) addressed this security bug that assists the attackers to infect vulnerable NAS security devices.\u00a0 This entire vulnerability is executed with the help of a buggy application, which […]","og_url":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-07-06T11:04:42+00:00","article_modified_time":"2021-07-06T11:04:44+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/qnap-fixed-nas-backdoor-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application","datePublished":"2021-07-06T11:04:42+00:00","dateModified":"2021-07-06T11:04:44+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/"},"wordCount":390,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Infosec News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/","url":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/","name":"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-07-06T11:04:42+00:00","dateModified":"2021-07-06T11:04:44+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/fixed-critical-bug-found-out-in-nas-backup-disaster-recovery-application\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"[Fixed] Critical Bug Found Out in NAS Backup Disaster Recovery Application"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2405"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2405"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2405\/revisions"}],"predecessor-version":[{"id":2409,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2405\/revisions\/2409"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2407"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2405"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2405"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2405"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} - QTS 4.3.4: HBS 3 v3.0.21506 and later<\/strong><\/li>