QNAP, a prominent Taiwanese manufacturer renowned for its network-attached storage (NAS) solutions, has disclosed efforts to rectify a significant PHP vulnerability that has persisted for three years. This flaw poses a risk of remote code execution, a critical concern for businesses employing these devices.
According to a security advisory issued by QNAP, the vulnerability impacts specific PHP versions, specifically 7.1.x prior to 7.1.33, 7.2.x below 7.2.24, and 7.3.x before 7.3.11. The advisory highlights that a misconfigured Nginx setup exacerbates the issue, giving malicious actors a pathway to exploit affected systems. If successfully executed, an attacker could gain unauthorized remote access to the system, potentially compromising sensitive data.
The identified vulnerability, tracked as CVE-2019-11043, is classified with a severity score of 9.8 out of 10 on the CVSS scale, underscoring the critical nature of this security flaw. It should be noted that the vulnerability requires the Nginx and PHP-FPM services to be in operation on devices running specific QNAP operating systems, including QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later.
However, QNAP clarified that its default operating systems do not include Nginx, meaning that these devices remain unaffected in their original configuration. The company reports that mitigations have already been implemented in OS versions QTS 5.0.1.2034 (released on May 15, 2022) and QuTS hero h5.0.0.2069 (released on June 14, 2022).
This notification follows closely after QNAP’s recent announcement of an ongoing investigation into a series of DeadBolt ransomware attacks. These attacks are targeting its NAS devices, particularly those operating outdated versions of QTS 4.x, highlighting the importance of regular updates and vigilance against potential threats.
Businesses utilizing QNAP devices are urged to upgrade to the latest versions of QTS or QuTS hero operating systems. Additionally, the company advises against exposing these devices to the internet, a crucial step in minimizing vulnerability to external threats.
For customers encountering issues with ransomware post-upgrade, QNAP recommends entering the received DeadBolt decryption key to regain access, while also providing assistance through customer support channels. The company emphasizes the importance of taking preventive measures, including documenting ransom notes for future reference and utilizing built-in tools such as the Malware Remover application to quarantine unauthorized content.
As businesses assess their cybersecurity frameworks, understanding the potential tactics and techniques employed in such vulnerabilities is essential. The threat landscape often involves adversary tactics and techniques, such as initial access and privilege escalation, which align with the MITRE ATT&CK framework. For organizations leveraging QNAP’s solutions, awareness and prompt responses to these security advisories are critical in fortifying their defenses against evolving cyber threats.
