Qnap Security Advisory Fixing PHP Vulnerability

Qnap Systems, Inc. had published a security advisory concerning the fixing PHP vulnerability on certain company’s NAS.

Release date: June 22, 2022
Security ID: QSA-22-20
Severity: Low
CVE identifier: CVE-2019-11043
Affected products: Certain Qnap NAS
Status: Fixing

Summary
A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution. 

For the vulnerability to be exploited, both nginx and php-fpm must be running. While QTS, QuTS hero, and QuTScloud do not have nginx installed by default, Qnap NAS may still be affected if user have installed and are running nginx and php-fpm on your NAS.

If Qnap NAS is running nginx and php-fpm, the vulnerability affects the following company’s OS versions:

• QTS 5.0.x

• QTS 4.5.x

• QuTS hero h5.0.x

• QuTS hero h4.5.x

• QuTScloud c5.0.x

The firm have already fixed this vulnerability in following OS versions:

• QTS 5.0.1.2034 build 20220515 and later

• QuTS hero h5.0.0.2069 build 20220614 and later

The company will release security updates for the remaining OS versions as soon as possible.

Recommendation
To secure the device, the firm recommend regularly updating the system to the latest version to benefit from vulnerability fixes. User can check the product support status to see the latest updates available to NAS model.

Updating QTS, QuTS hero, or QuTScloud

1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: User can also download the update from the company’s website. Go to Support > Download Center and then perform a manual update for specific device.

Revision History: V1.0 (June 22, 2022) – Published