QNAP, Taiwanese maker of network-attached storage (NAS) devices, on Wednesday said it’s in the process of fixing a critical three-year-old PHP vulnerability that could be abused to achieve remote code execution.
“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config,” the hardware vendor said in an advisory. “If exploited, the vulnerability allows attackers to gain remote code execution.”
The vulnerability, tracked as CVE-2019-11043, is rated 9.8 out of 10 for severity on the CVSS vulnerability scoring system. That said, it’s required that Nginx and php-fpm are running in appliances using the following QNAP operating system versions –
- QTS 5.0.x and later
- QTS 4.5.x and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.x and later
- QuTScloud c5.0.x and later
“As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state,” the company said, adding it had already mitigated the issue in OS versions QTS 220.127.116.114 build 20220515 and QuTS hero h18.104.22.1689 build 20220614.
Besides urging customers to upgrade to the newest version of QTS or QuTS hero operating systems, it’s also recommending that the devices are not exposed to the internet.
“If your NAS has already been compromised, take the screenshot of the ransom note to keep the bitcoin address, then upgrade to the latest firmware version and the built-in Malware Remover application will automatically quarantine the ransom note which hijacks the login page,” it said.