Your QNAP NAS Device Is Probably Vulnerable To A Critical Security Flaw, Patch ASAP
Yes, a vulnerability has been found in PHP versions 7.1.x when below 7.1.33, 7.2.x when below 7.2.24, and 7.3.x when below 7.3.11. Particularly when in tandem with an improper nginx configuration. Nginx is a web server software that could run the web panel functions for QNAP NAS devices, PHP is a server-side scripting and programming language that allows for code execution, typically with limits.
For this vulnerability to actually be exploited the specific configuration requires running nginx, and php-fpm. PHP-FPM is a deployment method of PHP called FastCGI Process Manager, which allows PHP to run somewhat more efficiently than through certain other libraries. Ultimately while nginx is not the default web server installed on the affected operating systems from QNAP, it does not mean nginx couldn't be installed anyway. The following are the affected QNAP operating system versions.
- QTS 5.0.x
- QTS 4.5.x
- QuTS hero h5.0.x
- QuTS hero h4.5.x
- QuTScloud c5.0.x
To check for new firmware on your devices is pretty simple.
- Log onto your device's operating system as an administrator
- Go to Control Panel > System > Firmware Update
- Under Live Update, click Check for Update.
- At this point, the latest applicable update should be downloaded and automatically installed.