CATEGORIES
home News

Your QNAP NAS Device Is Probably Vulnerable To A Critical Security Flaw, Patch ASAP

by Lane BabuderThursday, June 23, 2022, 02:35 PM EDT
QNAP NAS box
Another day another vulnerability. This time we're dealing with network-attached storage hardware provider QNAP. Interestingly though, this particular vulnerability isn't entirely QNAP's fault. It's PHP.

Yes, a vulnerability has been found in PHP versions 7.1.x when below 7.1.33, 7.2.x when below 7.2.24, and 7.3.x when below 7.3.11. Particularly when in tandem with an improper nginx configuration. Nginx is a web server software that could run the web panel functions for QNAP NAS devices, PHP is a server-side scripting and programming language that allows for code execution, typically with limits.

For this vulnerability to actually be exploited the specific configuration requires running nginx, and php-fpm. PHP-FPM is a deployment method of PHP called FastCGI Process Manager, which allows PHP to run somewhat more efficiently than through certain other libraries. Ultimately while nginx is not the default web server installed on the affected operating systems from QNAP, it does not mean nginx couldn't be installed anyway. The following are the affected QNAP operating system versions.
  • QTS 5.0.x
  • QTS 4.5.x
  • QuTS hero h5.0.x
  • QuTS hero h4.5.x
  • QuTScloud c5.0.x
qnap middle

QNAP has already issued fixes for QTS 5.0.x, and QuTS hero h5.0.x, but is still working to push patches to the other version. The versions that are considered safe that have been patched so far are QTS 5.0.1.2034 build 20220515 and later, or QuTS hero h5.0.0.2069 build 20220614 and later.

To check for new firmware on your devices is pretty simple.
  1. Log onto your device's operating system as an administrator
  2. Go to Control Panel > System > Firmware Update
  3. Under Live Update, click Check for Update.
  4. At this point, the latest applicable update should be downloaded and automatically installed.
qnap 4 bay

Note that this particular vulnerability is not that new, however, the discovery of the vulnerability within QNAP operating systems is. So web administrators should be aware that they should update to the latest applicable PHP versions to resolve this security flaw on their web server if they use it in tandem with nginx. This is also not the only security item QNAP devices have struggled with, a couple of years ago some devices got ransomware locked using 7zip archiving software.
Tags:  NAS, security, QNAP
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment