QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
QNAP has released a patch to address a new PHP security vulnerability that affects specific configurations of its Network Attached Storage (NAS) devices. The company has urged its customers to update their systems to protect against remote code execution (RCE) attacks.
Tracked as CVE-2019-11043, the security flaw was first reported to QNAP three years ago, and it exists in the popular server scripting language ‘PHP.’ “A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution,” QNAP explained.
The PHP security vulnerability was found in QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. However, the company indicated that the flaw doesn’t impact NAS devices with default configurations.
“For the vulnerability to be exploited, both nginx and php-fpm must be running. While QTS, QuTS hero, and QuTScloud do not have nginx installed by default, your QNAP NAS may still be affected if you have installed and are running nginx and php-fpm on your NAS,” QNAP added.
QNAP advises users to install the latest firmware update
Fortunately, QNAP has already mitigated the security flaw in OS versions QTS 220.127.116.114 build 20220515, and QuTS hero h18.104.22.1689 build 20220614. QNAP has encouraged users to install the latest firmware update on their NAS devices immediately.
To do this, IT admins will first need to log on to QTS, QuTS hero, or QuTScloud, head to Control Panel >> System >> Firmware Update, and click Check for Update. Alternatively, they can manually download the update from the QNAP website.
In addition to the CVE-2019-11043 security flaw, QNAP is investigating a new series of DeadBolt ransomware attacks targetting its NAS devices. The company recommends that users should update all devices to the latest version and ensure that the NAS instances aren’t exposed to the internet.
More in Security
What is Microsoft Sentinel and How Does It Protect Cloud and On-Premises Resources?
Feb 2, 2023 | Mustafa Toroman
Microsoft Warns About New Consent-Phishing Attacks Used to Steal Data
Feb 1, 2023 | Rabia Noureen
Microsoft Defender for Endpoint Adds Device Isolation Support for Linux Machines
Jan 31, 2023 | Rabia Noureen
Git Releases New Security Updates to Block Remote Code Execution Attacks
Jan 18, 2023 | Rabia Noureen
PyTorch Discloses Internal Dependency Compromised with Malicious Code
Jan 4, 2023 | Rabia Noureen
How to Create Conditional Access Policies using PowerShell
Jan 4, 2023 | Liam Cleary
Most popular on petri