2 min read

QNAP NAS Devices Vulnerable to Remote Attacks Through Critical PHP Flaw Exploit

Vlad CONSTANTINESCU

June 23, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
QNAP NAS Devices Vulnerable to Remote Attacks Through Critical PHP Flaw Exploit

Taiwanese network-attached storage (NAS) device maker QNAP announced yesterday it’s taking steps to fix a high-severity PHP vulnerability that could put devices at risk from remote attacks.

The three-year-old flaw, tracked as CVE-2019-11043, has a CVSS severity score of 9.8 and affects several PHP versions.

Affected PHP versions:

  • 7.1.x below 7.1.33
  • 7.2.x below 7.2.24
  • 7.3.x below 7.3.11

“In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution,” reads the vulnerability’s description.

Apparently only PHP installations with improper nginx configurations are affected by this flaw, however. Also, both nginx and php-fpm must be installed and running on the NAS device for the vulnerability to be leveraged.

Exploiting this vulnerability could allow perpetrators to execute arbitrary code remotely on compromised devices.

It’s worth noting that QTS, QuTScloud and QuTS hero do not ship with nginx installed by default. Customers who decide to deploy and run php-fpm and nginx on their NAS devices may put themselves at risk.

According to QNAP’s security advisory, the flaw affects several QNAP operating system versions on devices that run both nginx and php-fpm, namely:

· QTS 5.0.x and later
· QTS 4.5.x and later
· QuTS hero h5.0.x and later
· QuTS hero h4.5.x and later
· QuTScloud c5.0.x and later

The company says it has already patched the flaw in some OS versions and will release security updates for the remaining versions “as soon as possible.” The patched OS versions are:

· QTS 5.0.1.2034 build 20220515 and later
· QuTS hero h5.0.0.2069 build 20220614 and later

The advisory follows last week’s QNAP warning against a new wave of DeadBolt ransomware attacks that could lock up NAS devices.

QNAP recommends customers update their system to the latest version to mitigate vulnerability exploits. QTS, QuTS hero and QuTScloud can be updated by following these steps:

  1. Log on to the OS (QuTS hero, QTS, or QuTScloud) with Administrator rights
  2. Head to Control Panel > System > Firmware Update
  3. Click the Check for Update button under Live Update

Alternatively, users can download and apply updates manually from the Support > Download Center section on the QNAP website.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Cyberattack Disrupts 7-Eleven Stores in Denmark Cyberattack Disrupts 7-Eleven Stores in Denmark
Alina BÎZGĂ

August 10, 2022

1 min read
Leaky platform at Chinese adult platform exposed sensitive info of 14 million users Leaky platform at Chinese adult platform exposed sensitive info of 14 million users
Alina BÎZGĂ

August 08, 2022

1 min read
America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns America’s Emergency Alert System Is Vulnerable to Hacker Attacks, DHS Warns
Filip TRUȚĂ

August 05, 2022

2 min read