• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2019-11043, A PHP Vulnerability In QNAP NAS Devices That Lead To RCE Attack
How To Fix CVE-2019-11043, A PHP Vulnerability in QNAP NAS Devices that Lead to RCE Attack

The Network Attached Storage (NAS) devices manufacturer giant QNAP published an advisory on 22 June 2022 in which QNAP detailed a 3-year-old PHP-related vulnerability in QNAP NAS devices. The vulnerability tracked as CVE-2019-11043 is a Critical severity vulnerability with a CVSS score of 9.8 out of 10. The flaw lice in the affected versions of php-fpm allow attackers to perform remote code execution on the affected QNAP operating systems. Since this flaw allows the attacker to carry out remote code execution attacks, it is most important to fix the CVE-2019-11043 vulnerability. Let’s see how to fix CVE-2019-11043, a PHP vulnerability in QNAP NAS devices that lead to an RCE attack.

Short Introduction About QNAP NAS:

QNAP NAS is a popular choice for those looking for a reliable and feature-rich network attached storage solution. QNAP offers a wide range of models to suit different needs, from entry-level to high-end. QNAP NAS also supports a wide range of protocols and features, making it a versatile storage solution for both home and business users.

Summary Of CVE-2019-11043:

This is a 3-year-old critical vulnerability in PHP in QNAP NAS operating system. The flaw lice in the affected versions of php-fpm allow attackers to perform remote code execution on the affected QNAP operating systems.

In certain FPM set-ups, certain PHP versions below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 in specific configurations of FPM can cause the FPM module to write past allocated buffers into the FCGI protocol data space, allowing for remote code execution on the affected set-up.

The vendor said in its advisory, “A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration. If exploited, the vulnerability allows attackers to gain remote code execution.”

Associated CVE IDCVE-2019-11043
DescriptionA PHP Vulnerability in QNAP NAS Devices that Lead to RCE Attack
Associated ZDI ID
CVSS Score9.8 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)None
User Interaction (UI)None
ScopeUnchanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

QNAP NAS Vulnerable To CVE-2019-11043:

The QNAP devices on which both nginx and php-fpm are running with these QNAP NAS operating systems. The vendor said that having nginx is a must to exploit the vulnerability no matter if it is loaded by default or manual.

  • QTS 5.0.x
  • QTS 4.5.x
  • QuTS hero h5.0.x
  • QuTS hero h4.5.x
  • QuTScloud c5.0.x

How To Fix CVE-2019-11043, A PHP Vulnerability In QNAP NAS Devices That Lead To RCE Attack?

QTS, QuTS hero, and QuTScloud don’t have nginx installed by default, and it is a must to have nginx to exploit the flaw. The first thing to make sure nginx is not installed on your QNAP NAS devices, especially on those operating systems listed in the previous section.

Three Tips To mitigate The CVE-2019-11043 vulnerability:

  1. Ensure nginx is not installed.
  2. Take the QNAP NAS off the internet.
  3. Apply the patches.

Well, the vendor has released the patch to fix the 3-year-old critical vulnerability. Please upgrade your QNAP OS to these fixed versions. We always recommend regular upgrades and keeping your device to the latest version. This

  • QTS 5.0.1.2034 build 20220515 and later
  • QuTS hero h5.0.0.2069 build 20220614 and later

Follow This Procedure To upgrade QNAP NAS QTS, QuTS Hero, OR QuTScloud From The Console:

  1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update

QTS, QuTS hero, or QuTScloud downloads and installs the latest available update by themselves.

Or

Follow this procedure to upgrade QNAP from the software center:

  1. Go to Support > Download Center to download the update from the QNAP website.
  2. Perform a manual update for your specific device.

This simple procedure completes the upgradation procedure. We hope this post will help you know how to fix CVE-2019-11043, a PHP vulnerability in QNAP NAS devices that lead to RCE attack. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.