QNAP NAS Devices Vulnerable to Remote Attacks Through Critical PHP Flaw Exploit

Taiwanese network-attached storage (NAS) device maker QNAP announced yesterday it’s taking steps to fix a high-severity PHP vulnerability that could put devices at risk from remote attacks.
The three-year-old flaw, tracked as CVE-2019-11043, has a CVSS severity score of 9.8 and affects several PHP versions.
Affected PHP versions:
- 7.1.x below 7.1.33
- 7.2.x below 7.2.24
- 7.3.x below 7.3.11
“In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution,” reads the vulnerability’s description.
Apparently only PHP installations with improper nginx
configurations are affected by this flaw, however. Also, both nginx
and php-fpm
must be installed and running on the NAS device for the vulnerability to be leveraged.
Exploiting this vulnerability could allow perpetrators to execute arbitrary code remotely on compromised devices.
It’s worth noting that QTS, QuTScloud and QuTS hero do not ship with nginx
installed by default. Customers who decide to deploy and run php-fpm
and nginx
on their NAS devices may put themselves at risk.
According to QNAP’s security advisory, the flaw affects several QNAP operating system versions on devices that run both nginx
and php-fpm
, namely:
· QTS 5.0.x and later
· QTS 4.5.x and later
· QuTS hero h5.0.x and later
· QuTS hero h4.5.x and later
· QuTScloud c5.0.x and later
The company says it has already patched the flaw in some OS versions and will release security updates for the remaining versions “as soon as possible.” The patched OS versions are:
· QTS 5.0.1.2034 build 20220515 and later
· QuTS hero h5.0.0.2069 build 20220614 and later
The advisory follows last week’s QNAP warning against a new wave of DeadBolt ransomware attacks that could lock up NAS devices.
QNAP recommends customers update their system to the latest version to mitigate vulnerability exploits. QTS, QuTS hero and QuTScloud can be updated by following these steps:
- Log on to the OS (QuTS hero, QTS, or QuTScloud) with Administrator rights
- Head to
Control Panel > System > Firmware Update
- Click the
Check for Update
button underLive Update
Alternatively, users can download and apply updates manually from the Support > Download Center
section on the QNAP website.
tags
Author
Right now
Top posts
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight
April 15, 2022
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users
April 14, 2022
Why and how to hide your IP address while traveling
April 13, 2022
How Bitdefender Can Help Restore Your Privacy in the Digital Age
April 04, 2022
How Strong is VPN Encryption?
February 28, 2022