NAS specialist QNAP, whose tribulations we've mentioned previously in these pages, has released a high-severity security advisory (opens in new tab) warning of a flaw that may allow attackers to gain remote code execution privileges on an affected storage device. The bug (opens in new tab) is in PHP and affects NAS boxes running QTS 5.0.x and later, QTS 4.5.x and later, QuTS hero h5.0.x and later, QuTS hero h4.5.x and later, and QuTScloud c5.0.x and later. It was already patched in QTS 126.96.36.1994 build 20220515 and later, as well as QuTS hero h188.8.131.529 build 20220614 and later. The problem appears to be in the part of PHP that deals with FPM and isn’t a new vulnerability. It’s been known about in theory for three years, but only now has it been shown to be exploitable. FPM is a FastCGI Process Manager that a webserver passes requests to and which can spawn and kill PHP processes as needed. If set up in a particular way, this FPM can be manipulated into writing data past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution. Note that this is totally different from QNAP’s… Read full this story
- OwnStar’d! Enterprising Wiz Hacks OnStar to Enable Remote Functions, GM Releases Fix [UPDATED]
- BMW's Connected Drive feature vulnerable to hackers
- Waze vulnerability allows users to be tracked
- Why the Recent Jeep Cherokee Hack Is Not Cause for Panic
- Computer says ‘go’: is your car in danger of being hacked?
- Renault and Nissan are among the businesses affected by massive ransomeware attack
- Can Your Car Really Be Hacked? Six Points to Know
- Jeep in St. Louis hacked from Pittsburgh
- Hackers Shut Down a Moving Tesla Model S
- Security Flaw in Uconnect Lets Hackers Remotely Kill Jeep’s Engine
QNAP Patches Another Vulnerability, Update Your NAS ASAP have 300 words, post on www.tomshardware.com at June 22, 2022. This is cached page on X-Buy. If you want remove this page, please contact us.