=====================================================================

                                CERT-Renater

                    Note d'Information No. 2022/VULN217

_____________________________________________________________________

DATE                : 28/06/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QTS versions prior to
                            5.0.1.2034 build 20220515,
               QuTS hero versions prior to h5.0.0.2069 build 20220614.

=====================================================================
https://www.qnap.com/fr-fr/security-advisory/qsa-22-20
_____________________________________________________________________

PHP Vulnerability


     Release date: June 22, 2022
     Security ID: QSA-22-20
     Severity: Low
     CVE identifier: CVE-2019-11043
     Affected products: Certain QNAP NAS
     Status: Fixing


Summary

A vulnerability has been reported to affect PHP versions 7.1.x below 
7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 with improper nginx 
configuration. If exploited, the vulnerability allows attackers to gain 
remote code execution.

For the vulnerability to be exploited, both nginx and php-fpm must be 
running. While QTS, QuTS hero, and QuTScloud do not have nginx installed 
by default, your QNAP NAS may still be affected if you have installed 
and are running nginx and php-fpm on your NAS.


If your QNAP NAS is running nginx and php-fpm, the vulnerability affects 
the following QNAP operating system versions:


     QTS 5.0.x
     QTS 4.5.x
     QuTS hero h5.0.x
     QuTS hero h4.5.x
     QuTScloud c5.0.x


We have already fixed this vulnerability in the following OS versions:


     QTS 5.0.1.2034 build 20220515 and later
     QuTS hero h5.0.0.2069 build 20220614 and later


We will release security updates for the remaining OS versions as soon 
as possible.

  Recommendation

To secure your device, we recommend regularly updating your system to 
the latest version to benefit from vulnerability fixes. You can check 
the product support status to see the latest updates available to your 
NAS model.


Updating QTS, QuTS hero, or QuTScloud

     Log on to QTS, QuTS hero, or QuTScloud as administrator.
     Go to Control Panel > System > Firmware Update.
     Under Live Update, click Check for Update.
     QTS, QuTS hero, or QuTScloud downloads and installs the latest 
available update.

Tip: You can also download the update from the QNAP website.
Go to Support > Download Center and then perform a manual update for 
your specific device.


Revision History: V1.0 (June 22, 2022) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================