Security Advisory - Critical PHP Vulnerability Exposes QNAP NAS Devices to Remote Attacks
Updated: Dec 28, 2022
A major, three-year-old PHP vulnerability that might be exploited to gain remote code execution is now being fixed, according to QNAP, a Taiwanese manufacturer of network-attached storage (NAS) devices.
According to an alert from the hardware manufacturer, PHP versions 7.1.x through 7.1.33, 7.2.x through 7.2.24, and 7.3.x through 7.3.11 are vulnerable due to poor nginx configuration. Attackers could obtain remote code execution if the vulnerability is exploited.
According to the CVSS vulnerability assessment methodology, the vulnerability, identified as CVE-2019-11043, has a severity rating of 9.8 out of 10. Nginx and php-fpm must be running in devices running the aforementioned QNAP operating system versions:
QTS 5.0.x and later
QTS 4.5.x and later
QuTS hero h5.0.x and later
QuTS hero h4.5.x and later
QuTScloud c5.0.x and later
Customers are advised to update their QTS or QuTS hero operating systems, and not to keep their devices connected to the internet.
Additionally, QNAP has recommended customers to contact QNAP Support for help if they are unable to identify the ransom letter after updating the firmware and entering the obtained DeadBolt decryption key.
The built-in Malware Remover application will automatically quarantine the ransom note that hijacks the login page if your NAS has already been compromised, it said. "If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then upgrade to the latest firmware version," it said.