A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution.
For CVE-2019-11043, there are some prerequisites that need to be met, which are:
- nginx is running, and
- php-fpm is running.
As QTS, QuTS hero or QuTScloud does not have nginx installed by default, QNAP NAS are not affected by this vulnerability in the default state. If nginx is installed by the user and running, then the update should be applied as soon as possible to mitigate associated risks.
So in English, if you run some non-default software on your QNAP NAS, you could get pwned. Some fixes are already out, but there are more fixes to come. To be honest, I see this vulnerability as an edge case. But given QNAP’s recent history of security issues, it will put the NAS vendor on even more scrutiny than it is now.