The Network Attached Storage (NAS) devices manufacturer giant QNAP published an advisory on 22 June 2022 in which QNAP detailed a 3-year-old PHP-related vulnerability in QNAP NAS devices. The vulnerability tracked as CVE-2019-11043 is a Critical severity vulnerability with a CVSS score of 9.8 out of 10. The flaw lice in the affected versions of php-fpm allow attackers to perform remote code execution on the affected QNAP operating systems. Since this flaw allows the attacker to carry out remote code execution attacks, it is most important to fix the CVE-2019-11043 vulnerability. Let’s see how to fix CVE-2019-11043, a PHP vulnerability in QNAP NAS devices that lead to an RCE attack.
Short Introduction About QNAP NAS:
QNAP NAS is a popular choice for those looking for a reliable and feature-rich network attached storage solution. QNAP offers a wide range of models to suit different needs, from entry-level to high-end. QNAP NAS also supports a wide range of protocols and features, making it a versatile storage solution for both home and business users.
Summary Of CVE-2019-11043:
This is a 3-year-old critical vulnerability in PHP in QNAP NAS operating system. The flaw lice in the affected versions of php-fpm allow attackers to perform remote code execution on the affected QNAP operating systems.
In certain FPM set-ups, certain PHP versions below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 in specific configurations of FPM can cause the FPM module to write past allocated buffers into the FCGI protocol data space, allowing for remote code execution on the affected set-up.
The vendor said in its advisory, “A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution.”
|Associated CVE ID||CVE-2019-11043|
|Description||A PHP Vulnerability in QNAP NAS Devices that Lead to RCE Attack|
|Associated ZDI ID||–|
|CVSS Score||9.8 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
QNAP NAS Vulnerable To CVE-2019-11043:
The QNAP devices on which both nginx and php-fpm are running with these QNAP NAS operating systems. The vendor said that having nginx is a must to exploit the vulnerability no matter if it is loaded by default or manual.
- QTS 5.0.x
- QTS 4.5.x
- QuTS hero h5.0.x
- QuTS hero h4.5.x
- QuTScloud c5.0.x
How To Fix CVE-2019-11043, A PHP Vulnerability In QNAP NAS Devices That Lead To RCE Attack?
QTS, QuTS hero, and QuTScloud don’t have nginx installed by default, and it is a must to have nginx to exploit the flaw. The first thing to make sure nginx is not installed on your QNAP NAS devices, especially on those operating systems listed in the previous section.
Three Tips To mitigate The CVE-2019-11043 vulnerability:
- Ensure nginx is not installed.
- Take the QNAP NAS off the internet.
- Apply the patches.
Well, the vendor has released the patch to fix the 3-year-old critical vulnerability. Please upgrade your QNAP OS to these fixed versions. We always recommend regular upgrades and keeping your device to the latest version. This
- QTS 126.96.36.1994 build 20220515 and later
- QuTS hero h188.8.131.529 build 20220614 and later
Follow This Procedure To upgrade QNAP NAS QTS, QuTS Hero, OR QuTScloud From The Console:
- Log on to QTS, QuTS hero, or QuTScloud as administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
QTS, QuTS hero, or QuTScloud downloads and installs the latest available update by themselves.
Follow this procedure to upgrade QNAP from the software center:
- Go to Support > Download Center to download the update from the QNAP website.
- Perform a manual update for your specific device.
This simple procedure completes the upgradation procedure. We hope this post will help you know how to fix CVE-2019-11043, a PHP vulnerability in QNAP NAS devices that lead to RCE attack. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.