Qnap Security Advisory
Investigating local privilege escalation vulnerability in Linux (Dirty Pipe)
This is a Press Release edited by StorageNewsletter.com on March 21, 2022 at 2:01 pmQnap Systems, Inc. had published a security advisory concerning an investigation on Local Privilege Escalation Vulnerability in Linux (Dirty Pipe).
Release date: March 14, 2022
Security ID: QSA-22-05
Severity: High
CVE identifier: CVE-2022-0847
Affected products: All Qnap x86-based NAS and some Qnap ARM-based NAS running QTS 5.0.x and QuTS hero h5.0.x
Not affected products: Qnap NAS running QTS 4.x
Status: Investigating
Summary
A local privilege escalation vulnerability, also known as ‘dirty pipe’, has been reported to affect the Linux kernel on the company’s NAS running QTS 5.0.x and QuTS hero h5.0.x. If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.
Following versions of QTS and QuTS hero are affected:
-
QTS 5.0.x on all Qnap x86-based NAS and certain Qnap ARM-based NAS
-
QuTS hero h5.0.x on all Qnap x86-based NAS and certain Qnap ARM-based NAS
For full list of affected models: check ‘Kernel Version 5.10.60’.
Company’ NAS running QTS 4.x are not affected.
The firm is thoroughly investigating the vulnerability. The company will release security updates and provide further information as soon as possible.
Recommendation
Currently there is no mitigation available for this vulnerability. The company recommend users to check back and install security updates as soon as they become available.
Revision History: V1.0 (March 11, 2022) – Published
Subscribe to our free daily newsletter
