How To Fix CVE-2019-11043, A PHP Vulnerability In QNAP NAS Devices That Lead To RCE Attack

The Network Attached Storage (NAS) devices manufacturer giant QNAP published an advisory on 22 June 2022 in which QNAP detailed a 3-year-old PHP-related vulnerability in QNAP NAS devices. The vulnerability tracked as CVE-2019-11043 is a Critical severity vulnerability with a CVSS score of 9.8 out of 10. The flaw lice in the affected versions of php-fpm allow attackers to perform remote code execution on the affected QNAP operating systems. Since this flaw allows the attacker to carry out remote code execution attacks, it is most important to fix the CVE-2019-11043 vulnerability. Let’s see how to fix CVE-2019-11043, a PHP vulnerability in QNAP NAS devices that lead to an RCE attack.

Short Introduction About QNAP NAS:

QNAP NAS is a popular choice for those looking for a reliable and feature-rich network attached storage solution. QNAP offers a wide range of models to suit different needs, from entry-level to high-end. QNAP NAS also supports a wide range of protocols and features, making it a versatile storage solution for both home and business users.

Summary Of CVE-2019-11043:

This is a 3-year-old critical vulnerability in PHP in QNAP NAS operating system. The flaw lice in the affected versions of php-fpm allow attackers to perform remote code execution on the affected QNAP operating systems.

In certain FPM set-ups, certain PHP versions below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 in specific configurations of FPM can cause the FPM module to write past allocated buffers into the FCGI protocol data space, allowing for remote code execution on the affected set-up.

The vendor said in its advisory, “A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution.”

QNAP NAS Vulnerable To CVE-2019-11043:

The QNAP devices on which both nginx and php-fpm are running with these QNAP NAS operating systems. The vendor said that having nginx is a must to exploit the vulnerability no matter if it is loaded by default or manual.

How To Fix CVE-2019-11043, A PHP Vulnerability In QNAP NAS Devices That Lead To RCE Attack?

QTS, QuTS hero, and QuTScloud don’t have nginx installed by default, and it is a must to have nginx to exploit the flaw. The first thing to make sure nginx is not installed on your QNAP NAS devices, especially on those operating systems listed in the previous section.

Three Tips To mitigate The CVE-2019-11043 vulnerability:

Well, the vendor has released the patch to fix the 3-year-old critical vulnerability. Please upgrade your QNAP OS to these fixed versions. We always recommend regular upgrades and keeping your device to the latest version. This

Follow This Procedure To upgrade QNAP NAS QTS, QuTS Hero, OR QuTScloud From The Console:

QTS, QuTS hero, or QuTScloud downloads and installs the latest available update by themselves.

Or

Follow this procedure to upgrade QNAP from the software center:

This simple procedure completes the upgradation procedure. We hope this post would help you know how to fix CVE-2019-11043, a PHP vulnerability in QNAP NAS devices that lead to RCE attack. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.