NAS specialist QNAP, whose tribulations we've mentioned previously in these pages, has released a high-severity security advisory (opens in new tab) warning of a flaw that may allow attackers to gain remote code execution privileges on an affected storage device.
The bug (opens in new tab) is in PHP and affects NAS boxes running QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. It was already patched in QTS 5.0.1.2034 build 20220515 and later, as well as QuTS hero h5.0.0.2069 build 20220614 and later.
The problem appears to be in the part of PHP that deals with FPM and isn’t a new vulnerability. It’s been known about in theory for three years, but only now has it been shown to be exploitable. FPM is a FastCGI Process Manager that a webserver passes requests to and which can spawn and kill PHP processes as needed. If set up in a particular way, this FPM can be manipulated into writing data past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Note that this is totally different from QNAP’s recent unfortunate experience with Deadbolt ransomware (opens in new tab) . The reason why QNAP, out of all the NAS vendors, appears to have so many problems is that it’s both very popular and takes a conscientious approach to issuing security advisories and deploying patches. Given that the vulnerability hasn’t been patched for all QNAP operating systems yet, it has been assigned the status ‘Fixing.’
In the meantime, QNAP recommends users update to the latest firmware for their storage box. This can be done in the system control panel, using the Live Update panel, or by downloading an update file directly from the QNAP website (opens in new tab) .
- Microsoft releases over 100 security updates - so patch now
- Windows 10 update problem: We're fixing Kerberos authentication bug, says Microsoft
- Google patches two actively exploited Chrome zero-day bugs
- Android users alert! Google asking you to update Chrome to avoid critical bug
- 'Smash Ultimate' Version 9.0 Update Featuring Minecraft Steve is Live - Patch Notes
- Cisco reveals this critical bug in Cisco Security Manager after exploits are posted – patch now
- VIETNAM NEWS NOVEMBER 27 (updated hourly)
- VIETNAM NEWS NOVEMBER 29 (updated hourly)
- Drupal sites vulnerable to double-extension attacks
- The Windows 10 update guide: How to install and manage security and feature updates
QNAP Patches Another Vulnerability, Update Your NAS ASAP have 404 words, post on www.tomshardware.com at June 22, 2022. This is cached page on ReZone. If you want remove this page, please contact us.