QNAP Releases Patch to Fix PHP Security Flaw Affecting Select NAS Devices
QNAP has released a patch to address a new PHP security vulnerability that affects specific configurations of its Network Attached Storage (NAS) devices. The company has urged its customers to update their systems to protect against remote code execution (RCE) attacks.
Tracked as CVE-2019-11043, the security flaw was first reported to QNAP three years ago, and it exists in the popular server scripting language ‘PHP.’ “A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution,” QNAP explained.
The PHP security vulnerability was found in QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. However, the company indicated that the flaw doesn’t impact NAS devices with default configurations.
“For the vulnerability to be exploited, both nginx and php-fpm must be running. While QTS, QuTS hero, and QuTScloud do not have nginx installed by default, your QNAP NAS may still be affected if you have installed and are running nginx and php-fpm on your NAS,” QNAP added.
QNAP advises users to install the latest firmware update
Fortunately, QNAP has already mitigated the security flaw in OS versions QTS 126.96.36.1994 build 20220515, and QuTS hero h188.8.131.529 build 20220614. QNAP has encouraged users to install the latest firmware update on their NAS devices immediately.
To do this, IT admins will first need to log on to QTS, QuTS hero, or QuTScloud, head to Control Panel >> System >> Firmware Update, and click Check for Update. Alternatively, they can manually download the update from the QNAP website.
In addition to the CVE-2019-11043 security flaw, QNAP is investigating a new series of DeadBolt ransomware attacks targetting its NAS devices. The company recommends that users should update all devices to the latest version and ensure that the NAS instances aren’t exposed to the internet.
More in Security
Petri Dish: Cybersecurity vs IT Security with Devolutions
Sep 28, 2022 | Russell Smith
Stop MFA Fatigue with Additional Context and Number Matching for Microsoft Authenticator
Sep 22, 2022 | Rabia Noureen
Researchers Warn About New Shikitega Malware Targeting Linux Endpoints and IoT Devices
Sep 12, 2022 | Rabia Noureen
LastPass Confirms Internal Source Code Compromised in Security Breach
Aug 26, 2022 | Rabia Noureen
Avast Gets New Ransomware Shield to Protect Small Businesses
Aug 24, 2022 | Rabia Noureen
Mandiant Warns Hackers Now Use New Trick to Bypass MFA
Aug 22, 2022 | Rabia Noureen
Most popular on petri