QNAP warns of a critical PHP flaw that could lead to remote code execution

Taiwanese company QNAP is addressing a critical PHP vulnerability that could be exploited to achieve remote code execution.

Taiwanese vendor QNAP is addressing a critical PHP vulnerability, tracked as CVE-2019-11043 (CVSS score 9.8 out of 10), that could be exploited to achieve remote code execution.

In certain configurations of FPM setup it is possible to trigger a buffer overflaw related to the memory space reserved for FCGI protocol data, potentially leading to the remote code execution.

The issue impacts PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration.

“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution.” reads the advisory published by QNAP.

“For the vulnerability to be exploited, both nginx and php-fpm must be running. While QTS, QuTS hero, and QuTScloud do not have nginx installed by default, your QNAP NAS may still be affected if you have installed and are running nginx and php-fpm on your NAS.”

The CVE-2019-11043 flaw impacts devices using the following QNAP operating system versions:

• QTS 5.0.x and later
• QTS 4.5.x and later
• QuTS hero h5.0.x and later
• QuTS hero h4.5.x and later
• QuTScloud c5.0.x and later

The company pointed pit that QTS, QuTS hero or QuTScloud does not have nginx installed by default, for this reason, the NAS devices are not affected in the default configuration.

The vendor already addressed the vulnerability in the following OS versions:

• QTS 5.0.1.2034 build 20220515 and later
• QuTS hero h5.0.0.2069 build 20220614 and later

and will release security updates for the remaining OS versions as soon as possible.

Researchers urge QNAP customers to keep their devices up to date. Recently, experts warned of a new ech0raix ransomware campaign targeting QNAP Network Attached Storage (NAS) devices.

In May, QNAP warned customers of a new wave of DeadBolt ransomware attacks and urges them to install the latest updates.

“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.” concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, QNAP)

[adrotate banner=”5″]

[adrotate banner=”13″]