Qnap developers have warned that some NAS models (with non-default configurations) may be vulnerable to attacks using a three-year-old critical PHP vulnerability that allows remote arbitrary code execution.
Let me remind you that we also wrote that Qnap warns that Dirty Pipe vulnerability affects most of the company’s NAS, and also Qnap Recommendations Disabling AFP Due to Critical Vulnerability.This time we are talking about a vulnerability (CVE-2019-11043), which poses a threat to some versions of the company’s OS. So, the vulnerability has already been fixed for QTS 5.0.1.2034 build 20220515 or later, as well as QuTS hero h5.0.0.2069 build 20220614 or later. However, the bug affects a very wide range of company devices and also poses a threat to:
- QTS 5.0.x and above;
- QTS 4.5.x and above;
- QuTS hero h5.0.x and above;
- QuTS hero h4.5.x and above;
- QuTScloud c5.0.x and above.
The manufacturer also emphasizes that for the successful operation of CVE-2019-11043, a number of conditions must be met. In particular, nginx and php-fpm should work.
Interestingly, this warning was published just a week after the NAS manufacturer notified users of a new wave of DeadBolt ransomware attacks, and security experts reported that Qnap devices were again being attacked by the ech0raix malware.
It is not yet known which infection vector DeadBolt and ech0raix are using this time around, but it is only reported that Deadbolt is targeting devices with older firmware versions (released from 2017 to 2019).