QNAP NAS users should download this update immediately

Daniel Sims

Posts: 462   +18
Staff
PSA: Anyone using a QNAP NAS while running nginx and php-fpm should probably update its firmware now. QNAP has released a security update addressing an nginx vulnerability, the latest in a series of security issues facing the company since January.

The NAS company announced this week that it has fixed a vulnerability affecting PHP versions 7.1.x, 7.1.33, 7.2.x, 7.2.24, 7.3.x, and 7.3.11. Attackers could exploit it to gain remote execution on QNAP operating systems.

The affected OS versions include QTS 5.0 and 4.5, along with QuTS hero h5.0, 4.5, and c5.0. QTS 5.0.1 build 20220515 and later as well as QuTS hero h5.0.0.2069 build 20220614 and later are safe. The exploit only works in systems running nginx, which QNAP NAS systems don't have installed by default.

To install the update, first log on to QTS, QuTS hero, or QuTScloud as administrator. Then, navigate to Control Panel > System > Firmware Update. Select Live Update > Check for Update. Users can also manually download the update from QNAP's website.

This problem isn't related to the Deadbolt ransomware attacks that have hit QNAP NAS users over the last several months. The company caught some flak for forcing auto-updates through its complex multi-layered firmware system in response, which caused unexpected data loss for some users.

QNAP detected another Deadbolt campaign last week, but its latest firmware isn't vulnerable.

Permalink to story.

 

Dimitriid

Posts: 2,212   +4,262
Not sure why they still have the cojones to actually sell these brand new or why do we not have a class action suit demanding a recall of well, *all* of them.

Some of them might be salvageable since if the model includes pci-e or hdmi out they can be made to boot and run Truenas Scale instead to reasonably utilize the hardware but the hardware still usually too expensive for something you have to dedicate lots of time to basically make sure you never use their OS unless for some reason you want to lose all your data to ransomware.
 

mbk34

Posts: 309   +215
I've been very happy with the QNAP device I use. It's small, easy to use and, for the most part, I almost forget it's there. This particular issue only happens when running NGINX and NGINX is only used for load balancing on high traffic web sites so I'm not sure why you'd have it running on a small media server in the first place. I'd much rather have the company testing for issues (and reporting them) than just staying quiet and pretending everything is right with the world.
 

Puiu

Posts: 5,562   +4,528
TechSpot Elite
I've been very happy with the QNAP device I use. It's small, easy to use and, for the most part, I almost forget it's there. This particular issue only happens when running NGINX and NGINX is only used for load balancing on high traffic web sites so I'm not sure why you'd have it running on a small media server in the first place. I'd much rather have the company testing for issues (and reporting them) than just staying quiet and pretending everything is right with the world.

Unfortunately I had to deal with both of our QNAP NAS being hacked for ransomeware at work. :(
 

mbk34

Posts: 309   +215
Unfortunately I had to deal with both of our QNAP NAS being hacked for ransomeware at work. :(
I'm sorry to hear that. Would it be better having 2 different types of NAS to reduce the chances of this type of attack? Or perhaps backup data to an independent offsite provider? I'm sure you've thought of this already and obviously hindsight is a wonderful thing but still worth saying for others.
 

Puiu

Posts: 5,562   +4,528
TechSpot Elite
I'm sorry to hear that. Would it be better having 2 different types of NAS to reduce the chances of this type of attack? Or perhaps backup data to an independent offsite provider? I'm sure you've thought of this already and obviously hindsight is a wonderful thing but still worth saying for others.
There were 2 types. The first is an old NAS with an ARM CPU and the newer one has an Intel CPU. You would expect the newer one to be "safer".
 

mbk34

Posts: 309   +215
Sorry, I meant NAS devices from different manufacturers. Obviously I don't know what you use the NAS devices for so that might not be possible. The Intel CPU will be faster but they'll both run approximately the same software so they'd both have the same vulnerability.
 

Puiu

Posts: 5,562   +4,528
TechSpot Elite
Sorry, I meant NAS devices from different manufacturers. Obviously I don't know what you use the NAS devices for so that might not be possible. The Intel CPU will be faster but they'll both run approximately the same software so they'd both have the same vulnerability.
The software on the Intel one is a much newer version. Can't install the latest version on the old one unfortunately.

And yeah, we could have bought from different manufacturers, but businesses don't usually do that unless there is a big problem with what they've been using already. Nobody could have guessed that the problems later on would be this big.

It happened after we opened up external access because of COVID. It wasn't an admin account hack, just a vulnerability that bypasses security.