Qnap Fixing PHP Vulnerability Security Advisory QSA-22-20

Qnap Systems, Inc. had published a security advisory concerning PHP vulnerability.

Release date: June 22, 2022
Security ID: QSA-22-20
Severity: Low
CVE identifier: CVE-2019-11043
Affected products: Certain Qnap NAS
Status: Fixing

Summary
A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution. The company didn’t use nginx and not affected by this vulnerability.

For CVE-2019-11043, there are some prerequisites that need to be met, which are:

nginx is running, and
php-fpm is running.

As QTS does not have nginx installed by default, the firm NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.

Vulnerability affects following Qnap OS versions:

QTS 5.0.x and later
QTS 4.5.x and later
QuTS hero h5.0.x and later
QuTS hero h4.5.x and later
QuTScloud c5.0.x and later

The company have already fixed this vulnerability in following OS versions:

QTS 5.0.1.2034 build 20220515 and later
QuTS hero h5.0.0.2069 build 20220614 and later

Recommendation
To secure device, the company recommend regularly updating your system to the latest version to benefit from vulnerability fixes. User can check the product support status to see the latest updates available to NAS model.

Updating QTS, QuTS hero, or QuTScloud

Log on to QTS, QuTS hero, or QuTScloud as administrator.
Go to Control Panel > System > Firmware Update.
Under Live Update, click Check for Update.
QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: User can also download the update from the company’s website. Go to Support > Download Center and then perform a manual update for specific device.

Revision History: V1.0 (June 22, 2022) – Published