Security News > 2022 > June > Critical PHP flaw exposes QNAP NAS devices to RCE attacks
QNAP has warned customers today that most of its Network Attached Storage devices are vulnerable to attacks that would exploit a three-year-old critical PHP vulnerability allowing remote code execution.
"A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11. If exploited, the vulnerability allows attackers to gain remote code execution," QNAP explained in a security advisory released today.
QNAP customers who want to update their NAS devices to the latest firmware automatically need to log on to QTS, QuTS hero, or QuTScloud as administrator and click the "Check for Update" button under Control Panel > System > Firmware Update.
Today's warning comes after the NAS maker warned its customers on Thursday to secure their devices against active attacks deploying DeadBolt ransomware payloads.
BleepingComputer also reported over the weekend that ech0raix ransomware has started targeting vulnerable QNAP NAS devices again, according to sample submissions on the ID Ransomware platform and multiple user reports who had their systems encrypted.
While QNAP is working on patching the CVE-2019-11043 PHP vulnerability in all vulnerable firmware versions, you should ensure that your device is not exposed to Internet access as an easy way to block incoming attacks.
News URL
Related news
- Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks (source)
- QNAP warns of critical auth bypass flaw in its NAS devices (source)
- Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks (source)
- Fortinet warns of critical RCE bug in endpoint management software (source)
- Public anxiety mounts over critical infrastructure resilience to cyber attacks (source)
- Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool (source)
- Ivanti Releases Urgent Fix for Critical Sentry RCE Vulnerability (source)
- Exploit released for Fortinet RCE bug used in attacks, patch now (source)
- US sanctions APT31 hackers behind critical infrastructure attacks (source)
- Cyber attacks on critical infrastructure show advanced tactics and new capabilities (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2019-10-28 | CVE-2019-11043 | Out-of-bounds Write vulnerability in multiple products In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. | 9.8 |