Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks

0
1659
QNAP NAS PHP Vulnerability

QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Wednesday said it’s in the process of fixing a critical three-year-old PHP vulnerability that could be abused to achieve remote code execution.

“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config,” the hardware vendor said in an advisory. “If exploited, the vulnerability allows attackers to gain remote code execution.”

CyberSecurity

The vulnerability, tracked as CVE-2019-11043, is rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system. That said, it’s required that Nginx and php-fpm are running in appliances using the following QNAP operating system versions –

  • QTS 5.0.x and later
  • QTS 4.5.x and later
  • QuTS hero h5.0.x and later
  • QuTS hero h4.5.x and later
  • QuTScloud c5.0.x and later

“As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state,” the company said, adding it had already mitigated the issue in OS versions QTS 5.0.1.2034 build 20220515 and QuTS hero h5.0.0.2069 build 20220614.

The alert comes a week after QNAP revealed that it’s “thoroughly investigating” yet another wave of DeadBolt ransomware attacks targeting QNAP NAS devices running outdated versions of QTS 4.x.

CyberSecurity

Besides urging customers to upgrade to the newest version of QTS or QuTS hero operating systems, it’s also recommending that the devices are not exposed to the internet.

Additionally, QNAP has advised customers who cannot locate the ransom note after upgrading the firmware to enter the received DeadBolt decryption key to reach out to QNAP Support for assistance.

“If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page,” it said.