PSA: Anyone using a QNAP NAS while running nginx and php-fpm should probably update its firmware now. QNAP has released a security update addressing an nginx vulnerability, the latest in a series of security issues facing the company since January.
The NAS company announced this week that it has fixed a vulnerability affecting PHP versions 7.1.x, 7.1.33, 7.2.x, 7.2.24, 7.3.x, and 7.3.11. Attackers could exploit it to gain remote execution on QNAP operating systems.
The affected OS versions include QTS 5.0 and 4.5, along with QuTS hero h5.0, 4.5, and c5.0. QTS 5.0.1 build 20220515 and later as well as QuTS hero h5.0.0.2069 build 20220614 and later are safe. The exploit only works in systems running nginx, which QNAP NAS systems don't have installed by default.
To install the update, first log on to QTS, QuTS hero, or QuTScloud as administrator. Then, navigate to Control Panel > System > Firmware Update. Select Live Update > Check for Update. Users can also manually download the update from QNAP's website.
This problem isn't related to the Deadbolt ransomware attacks that have hit QNAP NAS users over the last several months. The company caught some flak for forcing auto-updates through its complex multi-layered firmware system in response, which caused unexpected data loss for some users.
QNAP detected another Deadbolt campaign last week, but its latest firmware isn't vulnerable.