Qnap Fixing PHP Vulnerability Security Advisory QSA-22-20
Fixed in NAS OS QTS 5.0.1.2034
This is a Press Release edited by StorageNewsletter.com on July 1, 2022 at 2:01 pmQnap Systems, Inc. had published a security advisory concerning PHP vulnerability.
Release date: June 22, 2022
Security ID: QSA-22-20
Severity: Low
CVE identifier: CVE-2019-11043
Affected products: Certain Qnap NAS
Status: Fixing
Summary
A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution. The company didn’t use nginx and not affected by this vulnerability.
For CVE-2019-11043, there are some prerequisites that need to be met, which are:
- nginx is running, and
- php-fpm is running.
As QTS does not have nginx installed by default, the firm NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.
Vulnerability affects following Qnap OS versions:
- QTS 5.0.x and later
- QTS 4.5.x and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.x and later
- QuTScloud c5.0.x and later
The company have already fixed this vulnerability in following OS versions:
- QTS 5.0.1.2034 build 20220515 and later
- QuTS hero h5.0.0.2069 build 20220614 and later
Recommendation
To secure device, the company recommend regularly updating your system to the latest version to benefit from vulnerability fixes. User can check the product support status to see the latest updates available to NAS model.
Updating QTS, QuTS hero, or QuTScloud
- Log on to QTS, QuTS hero, or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.
Tip: User can also download the update from the company’s website. Go to Support > Download Center and then perform a manual update for specific device.
Revision History: V1.0 (June 22, 2022) – Published