PSA: Anyone utilizing a QNAP NAS whereas operating nginx and php-fpm ought to most likely replace its firmware now. QNAP has launched a safety replace addressing an nginx vulnerability, the most recent in a sequence of safety points going through the corporate since January.
The NAS firm introduced this week that it has fastened a vulnerability affecting PHP variations 7.1.x, 7.1.33, 7.2.x, 7.2.24, 7.3.x, and seven.3.11. Attackers may exploit it to achieve distant execution on QNAP working methods.
The affected OS variations embody QTS 5.0 and 4.5, together with QuTS hero h5.0, 4.5, and c5.0. QTS 5.0.1 construct 20220515 and later in addition to QuTS hero h18.104.22.1689 construct 20220614 and later are secure. The exploit solely works in methods operating nginx, which QNAP NAS methods do not have put in by default.
To set up the replace, first go online to QTS, QuTS hero, or QuTScloud as administrator. Then, navigate to Control Panel > System > Firmware Update. Select Live Update > Check for Update. Users also can manually obtain the replace from QNAP’s web site.
This drawback is not associated to the Deadbolt ransomware assaults which have hit QNAP NAS customers during the last a number of months. The firm caught some flak for forcing auto-updates via its advanced multi-layered firmware system in response, which triggered surprising knowledge loss for some customers.
QNAP detected one other Deadbolt marketing campaign final week, however its newest firmware is not weak.