QNAP NAS devices are vulnerable to yet another security threat. The company has, however, issued a patch. QNAP is urging all NAS drive owners to update their devices to the latest firmware to stay protected. Incidentally, owners who do not modify critical security settings are currently immune.
Even as QNAP is trying to deal with the ech0raix ransomware, another old vulnerability is threatening QNAP NAS devices. The vulnerability exists in PHP, which is essentially a server scripting language that is involved in managing the webpages and multiple backend processes. The problem appears to be in the part of PHP that deals with FPM (FastCGI Process Manager).
The PHP FPM security vulnerability can potentially allow attackers to remotely write data by blowing past pre-allocated buffers. If attackers can write to the space reserved for FCGI protocol data, they can easily perform Remote Code Execution (RCE). Simply put, attackers can gain RCE privileges on an affected QNAP storage device.
The bug affects the following QNAP NAS boxes:
- QTS 5.0.x and later
- QTS 4.5.x and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.x and later
- QuTScloud c5.0.x and later
QNAP has patched the security vulnerability in QTS 184.108.40.2064 build 20220515 and later, as well as QuTS hero h220.127.116.119 build 20220614 and later.
It is concerning to note that the security flaw has been known for three years. However, as it wasn’t “exploitable”, it wasn’t addressed. It seems there could be new exploits in the wild that rely on this vulnerability. Hence, QNAP may have released an update for its popular products.
QNAP is recommending users update to the latest firmware at the earliest time to stay protected from the vulnerability considered “highly severe”. Updates can be pulled from the official QNAP online database by heading over to Control Panel > System > Firmware Update, using the Live Update panel, or by downloading an update file directly from the QNAP website.
QNAP's PSIRT team has updated the original advisory and mentioned that devices with default configurations are not impacted by the PHP FPM security vulnerability.
Source: Bleeping Computer