Your QNAP NAS Device Is Probably Vulnerable To A Critical Security Flaw, Patch ASAP

Another day another vulnerability. This time we're dealing with network-attached storage hardware provider QNAP. Interestingly though, this particular vulnerability isn't entirely QNAP's fault. It's PHP.

Yes, a vulnerability has been found in PHP versions 7.1.x when below 7.1.33, 7.2.x when below 7.2.24, and 7.3.x when below 7.3.11. Particularly when in tandem with an improper nginx configuration. Nginx is a web server software that could run the web panel functions for QNAP NAS devices, PHP is a server-side scripting and programming language that allows for code execution, typically with limits.

For this vulnerability to actually be exploited the specific configuration requires running nginx, and php-fpm. PHP-FPM is a deployment method of PHP called FastCGI Process Manager, which allows PHP to run somewhat more efficiently than through certain other libraries. Ultimately while nginx is not the default web server installed on the affected operating systems from QNAP, it does not mean nginx couldn't be installed anyway. The following are the affected QNAP operating system versions.
  • QTS 5.0.x
  • QTS 4.5.x
  • QuTS hero h5.0.x
  • QuTS hero h4.5.x
  • QuTScloud c5.0.x
qnap middle

QNAP has already issued fixes for QTS 5.0.x, and QuTS hero h5.0.x, but is still working to push patches to the other version. The versions that are considered safe that have been patched so far are QTS build 20220515 and later, or QuTS hero h5.0.0.2069 build 20220614 and later.

To check for new firmware on your devices is pretty simple.
  1. Log onto your device's operating system as an administrator
  2. Go to Control Panel > System > Firmware Update
  3. Under Live Update, click Check for Update.
  4. At this point, the latest applicable update should be downloaded and automatically installed.
qnap 4 bay

Note that this particular vulnerability is not that new, however, the discovery of the vulnerability within QNAP operating systems is. So web administrators should be aware that they should update to the latest applicable PHP versions to resolve this security flaw on their web server if they use it in tandem with nginx. This is also not the only security item QNAP devices have struggled with, a couple of years ago some devices got ransomware locked using 7zip archiving software.
Tags:  NAS, security, QNAP