Critical PHP Vulnerability Allows Code to Run on Qnap Devices

Critical PHP vulnerability in Qnap
Written by Emma Davis

Qnap developers have warned that some NAS models (with non-default configurations) may be vulnerable to attacks using a three-year-old critical PHP vulnerability that allows remote arbitrary code execution.

Let me remind you that we also wrote that Qnap warns that Dirty Pipe vulnerability affects most of the company’s NAS, and also Qnap Recommendations Disabling AFP Due to Critical Vulnerability.

This time we are talking about a vulnerability (CVE-2019-11043), which poses a threat to some versions of the company’s OS. So, the vulnerability has already been fixed for QTS build 20220515 or later, as well as QuTS hero h5.0.0.2069 build 20220614 or later. However, the bug affects a very wide range of company devices and also poses a threat to:

  1. QTS 5.0.x and above;
  2. QTS 4.5.x and above;
  3. QuTS hero h5.0.x and above;
  4. QuTS hero h4.5.x and above;
  5. QuTScloud c5.0.x and above.
The vulnerability affects versions of PHP 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11. In the case of exploitation, the problem allows attackers to achieve remote code execution. To protect your device, we recommend that you regularly update the software to the latest version.according to Qnap.

The manufacturer also emphasizes that for the successful operation of CVE-2019-11043, a number of conditions must be met. In particular, nginx and php-fpm should work.

Because our software does not have nginx by default, Qnap NAS are not affected by this vulnerability in their default state. If nginx is installed by the user and running, then the update provided in the QSA-22-20 bulletin should be applied as soon as possible to reduce the associated risks.the developers say.

Interestingly, this warning was published just a week after the NAS manufacturer notified users of a new wave of DeadBolt ransomware attacks, and security experts reported that Qnap devices were again being attacked by the ech0raix malware.

It is not yet known which infection vector DeadBolt and ech0raix are using this time around, but it is only reported that Deadbolt is targeting devices with older firmware versions (released from 2017 to 2019).

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.