A Security Advisory was published by QNAP on Wednesday to advise their customers of the status of Remote Code Execution vulnerability that affects many of their products. The vulnerability is in the versions of PHP which ship as part of the QNAP operating system.
The vulnerability affects devices running:
- QTS 5.0.x and later
- QTS 4.5.x and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.x and later
- QuTScloud c5.0.x and later
The identified flaw can seemingly only present a risk to users when they have non-default configurations, as it needs nginx to be running on the system. This means it does not affect QTS, QuTS hero or QuTScloud if they are in their default configurations as they do not have nginx by default. If the user has installed nginx on these devices, then they are at risk and should install the latest updates to mitigate this.
The PHP vulnerability is three years old and affects PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. Tracked as CVE-2019-11043, this vulnerability can result in remote code execution (RCE) if exploited. First identified in 2019, this vulnerability has been given a CVSS 9.8/10 critical score by NIST NVD. This vulnerability occurs in the FastCGI Process Manager (FPM), where an overwrite past the buffers can cause the FPM module to write into the space that is reserved for FCGI protocol data. This allows attackers to perform RCE within the boundaries of the FCGI protocol.
QNAP recommend that users update their devices to protect themselves from this RCE vulnerability. OS versions QTS 18.104.22.1684 build 20220515 and later, and QuTS hero h22.214.171.1249 build 20220614 and later have already been patched for this vulnerability.
Last month QNAP issued an urgent security alert warning customers to update their devices to prevent an ongoing Deadbolt ransomware campaign.
These incidents serve a reminder of the importance of applying firmware and security patches to all the devices on your network, not just the PC and Servers.