PSA: Someone the use of a QNAP NAS whilst operating nginx and php-fpm will have to most probably replace its firmware now. QNAP has launched a safety replace addressing an nginx vulnerability, the most recent in a chain of safety problems going through the corporate since January.
The NAS corporate introduced this week that it has mounted a vulnerability affecting PHP variations 7.1.x, 7.1.33, 7.2.x, 7.2.24, 7.3.x, and seven.3.11. Attackers may just exploit it to achieve far flung execution on QNAP running methods.
The affected OS variations come with QTS 5.0 and four.5, at the side of QuTS hero h5.0, 4.5, and c5.0. QTS 5.0.1 construct 20220515 and later in addition to QuTS hero h126.96.36.1999 construct 20220614 and later are secure. The exploit simplest works in methods operating nginx, which QNAP NAS methods should not have put in via default.
To put in the replace, first go online to QTS, QuTS hero, or QuTScloud as administrator. Then, navigate to Regulate Panel > Device > Firmware Replace. Make a choice Reside Replace > Take a look at for Replace. Customers too can manually obtain the replace from QNAP’s site.
This downside is not associated with the Deadbolt ransomware assaults that experience hit QNAP NAS customers over the past a number of months. The corporate stuck some flak for forcing auto-updates via its complicated multi-layered firmware machine in reaction, which led to sudden knowledge loss for some customers.
QNAP detected every other Deadbolt marketing campaign closing week, however its newest firmware is not prone.