PSA: Any individual applying a QNAP NAS while functioning nginx and php-fpm should really probably update its firmware now. QNAP has produced a protection update addressing an nginx vulnerability, the most recent in a sequence of protection concerns going through the business due to the fact January.
The NAS enterprise declared this 7 days that it has mounted a vulnerability impacting PHP variations 7.1.x, 7.1.33, 7.2.x, 7.2.24, 7.3.x, and 7.3.11. Attackers could exploit it to acquire remote execution on QNAP functioning techniques.
The impacted OS versions include QTS 5. and 4.5, alongside with QuTS hero h5., 4.5, and c5.. QTS 5..1 make 20220515 and afterwards as properly as QuTS hero h5…2069 build 20220614 and later are harmless. The exploit only functions in techniques operating nginx, which QNAP NAS devices never have mounted by default.
To put in the update, initial log on to QTS, QuTS hero, or QuTScloud as administrator. Then, navigate to Regulate Panel > System > Firmware Update. Decide on Live Update > Test for Update. End users can also manually download the update from QNAP’s web page.
This dilemma isn’t really connected to the Deadbolt ransomware attacks that have strike QNAP NAS buyers above the last various months. The firm caught some flak for forcing auto-updates as a result of its sophisticated multi-layered firmware program in reaction, which caused unanticipated info loss for some buyers.
QNAP detected a different Deadbolt marketing campaign previous week, but its most up-to-date firmware just isn’t vulnerable.