Customers of QNAP have been informed today that certain Network Attached Storage (NAS) devices (with non-default configurations) are susceptible to attacks that would take advantage of a serious, three-year-old PHP bug that permits remote code execution.
“Versions of PHP 7.1.x through 7.1.33, 7.2.x through 7.2.24, and 7.3.x through 7.3.11 are said to be vulnerable. The flaw allows for remote code execution if it is exploited by attackers “In a security advisory published today, QNAP gave an explanation.
We advise constantly updating your system to the most recent version in order to take advantage of vulnerability fixes in order to secure your device.
The security weakness (CVE-2019-11043) for some operating system versions that are vulnerable to assaults has already been patched by the Taiwanese hardware maker (QTS 18.104.22.1684 build 20220515 or later and QuTS hero h22.214.171.1249 build 20220614 or later).
However, the flaw impacts a variety of equipment running:
- QTS 5.0.x and later
- QTS 4.5.x and later
- QuTS hero h5.0.x and later
- QuTS hero h4.5.x and later
- QuTScloud c5.0.x and later
Customers of QNAP who want their NAS devices to automatically update to the most recent firmware must sign in as administrators to QTS, QuTS hero, or QuTScloud and select “Check for Update” from the Control Panel > System > Firmware Update menu.
After downloading the update from Support > Download Center on the QNAP website, you can also manually upgrade your device.
QNAP devices targeted by ransomware
The NAS manufacturer previously issued a warning to its customers on Thursday, advising them to protect their machines from active attacks using DeadBolt ransomware payloads. According to sample uploads on the ID Ransomware site and numerous user reports of their systems being encrypted, BleepingComputer also revealed over the weekend that the ech0raix ransomware has resumed targeting vulnerable QNAP NAS equipment.
The infection vector utilised in these recent DeadBolt and ech0raix campaigns is unknown until QNAP releases additional information on active attacks. You should make sure that your device is not connected to the Internet as a simple solution to thwart incoming assaults while QNAP works to fix the CVE-2019-11043 PHP vulnerability in all affected firmware versions.
Users of NAS devices that are exposed to the Internet should take the following precautions to thwart remote access, as recommended by QNAP in the past:
Disable the router’s port-forwarding feature:
Check the Virtual Server, NAT, or Port Forwarding options in your router’s management interface, then disable the port forwarding configuration for the NAS management service port (port 8080 and 433 by default).
Disable the QNAP NAS’s UPnP feature:
Uncheck “Enable UPnP Port forwarding” by going to myQNAPcloud on the QTS menu and clicking “Auto Router Configuration.” To further secure your device, QNAP also offers comprehensive instructions on how to turn off remote SSH and Telnet connections, modify the system port, change device passwords, and enable IP and account access prevention.
June 22, 08:45 UTC Update:
Following the publication of this article, QNAP’s PSIRT team amended the original advisory and informed BleepingComputer that CVE-2019-11043 does not affect devices with default configurations. Additionally, QNAP claimed that machines running outdated system software are the target of the Deadbolt ransomware attacks (released between 2017 and 2019).
There are a few requirements that must be satisfied in order for CVE-2019-11043, which is covered in QSA-22-20, to have an impact on our users, including:
- nginx is running, and
- php-fpm is running.
Since our software does not include nginx by default, QNAP NAS are not vulnerable as of this writing. If the user has installed and is using nginx, it is advisable to apply the update included with QSA-22-20 as soon as possible to reduce any risks. To reflect the aforementioned facts, we are revising our security advice QSA-22-20. We want to emphasise once more that the majority of QNAP NAS users are not impacted by this vulnerability because its requirements are not met. Only when the system contains user-installed nginx is there a risk.
In order to incorporate the new information supplied by QNAP, we have also updated the story.