QNAP Releases Fix for RCE Security Vulnerability Affecting PHP in NAS Drive Management
QNAP NAS devices are vulnerable to another security threat. However, the company has released a patch. QNAP urges all NAS drive owners to update their devices to the latest firmware to stay protected. Incidentally, owners who do not change critical security settings are currently immune.
Even as QNAP tries to deal with ech0raix ransomware, another old vulnerability threatens QNAP NAS devices. The vulnerability exists in PHP, which is essentially a server scripting language involved in managing web pages and several backend processes. The problem seems to be in the part of PHP that deals with FPM (FastCGI Process Manager).
The PHP FPM security vulnerability can potentially allow attackers to write data remotely by blowing past pre-allocated buffers. If attackers can write to the space reserved for FCGI protocol data, they can easily perform remote code execution (RCE). Simply put, attackers can gain RCE privileges on an affected QNAP storage device.
The bug affects the following QNAP NAS enclosures:
- QTS 5.0.x and later
- QTS 4.5.x and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.x and later
- QuTScloud c5.0.x and later
QNAP fixed the security vulnerability in QTS 184.108.40.2064 build 20220515 and later, as well as QuTS hero h220.127.116.119 build 20220614 and later.
It is worrying that the security flaw has been known for three years. However, since it was not “workable”, it was not addressed. It looks like there could be new exploits in the wild that rely on this vulnerability. Therefore, QNAP may have released an update for its popular products.
QNAP recommends users update to the latest firmware as soon as possible to stay protected against the vulnerability rated as “very serious”. Updates can be pulled from QNAP’s official online database by going to Control Panel > System > Firmware Update, using the live update panel, or downloading an update file. directly from the QNAP website.
QNAP’s PSIRT team updated the original advisory and mentioned that devices with default configurations are not affected by the PHP FPM security vulnerability.
Source: Computer beeping