QNAP NAS users should download this update immediately

Daniel Sims

Daniel Sims

Posts: 1,386   +43
Staff
PSA: Anyone using a QNAP NAS while running nginx and php-fpm should probably update its firmware now. QNAP has released a security update addressing an nginx vulnerability, the latest in a series of security issues facing the company since January.

The NAS company announced this week that it has fixed a vulnerability affecting PHP versions 7.1.x, 7.1.33, 7.2.x, 7.2.24, 7.3.x, and 7.3.11. Attackers could exploit it to gain remote execution on QNAP operating systems.

The affected OS versions include QTS 5.0 and 4.5, along with QuTS hero h5.0, 4.5, and c5.0. QTS 5.0.1 build 20220515 and later as well as QuTS hero h5.0.0.2069 build 20220614 and later are safe. The exploit only works in systems running nginx, which QNAP NAS systems don't have installed by default.

To install the update, first log on to QTS, QuTS hero, or QuTScloud as administrator. Then, navigate to Control Panel > System > Firmware Update. Select Live Update > Check for Update. Users can also manually download the update from QNAP's website.

This problem isn't related to the Deadbolt ransomware attacks that have hit QNAP NAS users over the last several months. The company caught some flak for forcing auto-updates through its complex multi-layered firmware system in response, which caused unexpected data loss for some users.

QNAP detected another Deadbolt campaign last week, but its latest firmware isn't vulnerable.

Permalink to story.

https://www.techspot.com/news/95039-qnap-nas-users-download-update-immediately.html

 
Not sure why they still have the cojones to actually sell these brand new or why do we not have a class action suit demanding a recall of well, *all* of them.

Some of them might be salvageable since if the model includes pci-e or hdmi out they can be made to boot and run Truenas Scale instead to reasonably utilize the hardware but the hardware still usually too expensive for something you have to dedicate lots of time to basically make sure you never use their OS unless for some reason you want to lose all your data to ransomware.
 
I've been very happy with the QNAP device I use. It's small, easy to use and, for the most part, I almost forget it's there. This particular issue only happens when running NGINX and NGINX is only used for load balancing on high traffic web sites so I'm not sure why you'd have it running on a small media server in the first place. I'd much rather have the company testing for issues (and reporting them) than just staying quiet and pretending everything is right with the world.
 
mbk34 said:
I've been very happy with the QNAP device I use. It's small, easy to use and, for the most part, I almost forget it's there. This particular issue only happens when running NGINX and NGINX is only used for load balancing on high traffic web sites so I'm not sure why you'd have it running on a small media server in the first place. I'd much rather have the company testing for issues (and reporting them) than just staying quiet and pretending everything is right with the world.
Click to expand...

Unfortunately I had to deal with both of our QNAP NAS being hacked for ransomeware at work. :(
 
Puiu said:
Unfortunately I had to deal with both of our QNAP NAS being hacked for ransomeware at work. :(
Click to expand...
I'm sorry to hear that. Would it be better having 2 different types of NAS to reduce the chances of this type of attack? Or perhaps backup data to an independent offsite provider? I'm sure you've thought of this already and obviously hindsight is a wonderful thing but still worth saying for others.
 
mbk34 said:
I'm sorry to hear that. Would it be better having 2 different types of NAS to reduce the chances of this type of attack? Or perhaps backup data to an independent offsite provider? I'm sure you've thought of this already and obviously hindsight is a wonderful thing but still worth saying for others.
Click to expand...
There were 2 types. The first is an old NAS with an ARM CPU and the newer one has an Intel CPU. You would expect the newer one to be "safer".
 
Sorry, I meant NAS devices from different manufacturers. Obviously I don't know what you use the NAS devices for so that might not be possible. The Intel CPU will be faster but they'll both run approximately the same software so they'd both have the same vulnerability.
 
mbk34 said:
Sorry, I meant NAS devices from different manufacturers. Obviously I don't know what you use the NAS devices for so that might not be possible. The Intel CPU will be faster but they'll both run approximately the same software so they'd both have the same vulnerability.
Click to expand...
The software on the Intel one is a much newer version. Can't install the latest version on the old one unfortunately.

And yeah, we could have bought from different manufacturers, but businesses don't usually do that unless there is a big problem with what they've been using already. Nobody could have guessed that the problems later on would be this big.

It happened after we opened up external access because of COVID. It wasn't an admin account hack, just a vulnerability that bypasses security.
 
You must log in or register to reply here.

Similar threads

A
Some QNAP NAS devices affected by a critical vulnerability, updates available right now
Replies
4
Views
207
Puiu
Puiu
A
QNAP's NAS devices affected by a new critical security issue, patches are available
Replies
5
Views
660
Puiu
Puiu
Daniel Sims
Graphics card makers believe the RTX 5090 and 5080 will ship in Q4 2024
Replies
24
Views
324
godrilla
godrilla

Latest posts

Back