NAS specialist QNAP, whose tribulations we’ve talked about beforehand in these pages, has launched a high-severity safety advisory (opens in new tab) warning of a flaw that will enable attackers to realize distant code execution privileges on an affected storage gadget.
The bug (opens in new tab) is in PHP and impacts NAS containers operating QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. It was already patched in QTS 5.0.1.2034 construct 20220515 and later, in addition to QuTS hero h5.0.0.2069 construct 20220614 and later.
The issue seems to be within the a part of PHP that offers with FPM and is not a brand new vulnerability. It has been recognized about in idea for 3 years, however solely now has it been proven to be exploitable. FPM is a FastCGI Course of Supervisor {that a} webserver passes requests to and which might spawn and kill PHP processes as wanted. If arrange in a selected manner, this FPM could be manipulated into writing knowledge previous allotted buffers into the area reserved for FCGI protocol knowledge, thus opening the potential of distant code execution.
Notice that that is completely totally different from QNAP’s latest unlucky expertise with Deadbolt ransomware (opens in new tab). The rationale why QNAP, out of all of the NAS distributors, seems to have so many issues is that it is each very talked-about and takes a conscientious method to issuing safety advisories and deploying patches. On condition that the vulnerability hasn’t been patched for all QNAP working techniques but, it has been assigned the standing ‘Fixing.’
Within the meantime, QNAP recommends customers replace to the newest firmware for his or her storage field. This may be carried out within the system management panel, utilizing the Stay Replace panel, or by downloading an replace file straight from the QNAP web site (opens in new tab).