NAS specialist QNAP, whose tribulations we’ve mentioned previously in these pages, has released a high-severity security advisory warning of a flaw that may allow attackers to gain remote code execution privileges on an affected storage device.
The bug is in PHP and affects NAS boxes running QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. It was already patched in QTS 184.108.40.2064 build 20220515 and later, as well as QuTS hero h220.127.116.119 build 20220614 and later.
The problem appears to be in the part of PHP that deals with FPM and isn't a new vulnerability. It's been known about in theory for three years, but only now has it been shown to be exploitable. FPM is a FastCGI Process Manager that a webserver passes requests to and which can spawn and kill PHP processes as needed. If set up in a particular way, this FPM can be manipulated into writing data past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Note that this is totally different from QNAP's recent unfortunate experience with Deadbolt ransomware. The reason why QNAP, out of all the NAS vendors, appears to have so many problems is that it's both very popular and takes a conscientious approach to issuing security advisories and deploying patches. Given that the vulnerability hasn't been patched for all QNAP operating systems yet, it has been assigned the status 'Fixing.'
In the meantime, QNAP recommends users update to the latest firmware for their storage box. This can be done in the system control panel, using the Live Update panel, or by downloading an update file directly from the QNAP website.