Seriously, QNAP can’t catch a break when it comes to security issues related to their NAS devices. Days after announcing this security flaw, comes a brand new one:
A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution.
For CVE-2019-11043, there are some prerequisites that need to be met, which are:
- nginx is running, and
- php-fpm is running.
As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.
So in English, if you run some non-default software on your QNAP NAS, you could get pwned. Some fixes are already out, but there are more fixes to come. To be honest, I see this vulnerability as an edge case. But given QNAP’s recent history of security issues, it will put the NAS vendor on even more scrutiny than it is now.
Like this:
Like Loading...
Related
This entry was posted on June 23, 2022 at 8:18 am and is filed under Commentary with tags QNAP. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
For QNAP, The Hits Keep Coming As Yet Another Security Issue Disclosed
Seriously, QNAP can’t catch a break when it comes to security issues related to their NAS devices. Days after announcing this security flaw, comes a brand new one:
A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution.
For CVE-2019-11043, there are some prerequisites that need to be met, which are:
As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.
So in English, if you run some non-default software on your QNAP NAS, you could get pwned. Some fixes are already out, but there are more fixes to come. To be honest, I see this vulnerability as an edge case. But given QNAP’s recent history of security issues, it will put the NAS vendor on even more scrutiny than it is now.
Share this:
Like this:
Related
This entry was posted on June 23, 2022 at 8:18 am and is filed under Commentary with tags QNAP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.