Taiwanese vendor QNAP is addressing a critical PHP vulnerability, tracked as CVE-2019-11043 (CVSS score 9.8 out of 10), that could be exploited to achieve remote code execution.
In certain configurations of FPM setup it is possible to trigger a buffer overflaw related to the memory space reserved for FCGI protocol data, potentially leading to the remote code execution.
The issue impacts PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx configuration.
“A vulnerability has been reported to affect PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx config. If exploited, the vulnerability allows attackers to gain remote code execution.” reads the advisory published by QNAP.
“For the vulnerability to be exploited, both nginx and php-fpm must be running. While QTS, QuTS hero, and QuTScloud do not have nginx installed by default, your QNAP NAS may still be affected if you have installed and are running nginx and php-fpm on your NAS.”
The CVE-2019-11043 flaw impacts devices using the following QNAP operating system versions:
The company pointed pit that QTS, QuTS hero or QuTScloud does not have nginx installed by default, for this reason, the NAS devices are not affected in the default configuration.
The vendor already addressed the vulnerability in the following OS versions:
and will release security updates for the remaining OS versions as soon as possible.
In May, QNAP warned customers of a new wave of DeadBolt ransomware attacks and urges them to install the latest updates.
“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.” concludes the advisory.
(SecurityAffairs – hacking, QNAP)