QNAP has released a patch to address a new PHP security vulnerability that affects specific configurations of its Network Attached Storage (NAS) devices. The company has urged its customers to update their systems to protect against remote code execution (RCE) attacks.
Tracked as CVE-2019-11043, the security flaw was first reported to QNAP three years ago, and it exists in the popular server scripting language ‘PHP.’ “A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution,” QNAP explained.
The PHP security vulnerability was found in QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. However, the company indicated that the flaw doesn’t impact NAS devices with default configurations.
“For the vulnerability to be exploited, both nginx and php-fpm must be running. While QTS, QuTS hero, and QuTScloud do not have nginx installed by default, your QNAP NAS may still be affected if you have installed and are running nginx and php-fpm on your NAS,” QNAP added.
QNAP advises users to install the latest firmware update
Fortunately, QNAP has already mitigated the security flaw in OS versions QTS 5.0.1.2034 build 20220515, and QuTS hero h5.0.0.2069 build 20220614. QNAP has encouraged users to install the latest firmware update on their NAS devices immediately.
To do this, IT admins will first need to log on to QTS, QuTS hero, or QuTScloud, head to Control Panel >> System >> Firmware Update, and click Check for Update. Alternatively, they can manually download the update from the QNAP website.
In addition to the CVE-2019-11043 security flaw, QNAP is investigating a new series of DeadBolt ransomware attacks targetting its NAS devices. The company recommends that users should update all devices to the latest version and ensure that the NAS instances aren’t exposed to the internet.