What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Advertise with us
RAIDON

Qnap Security Advisory: Fixing Local Privilege Escalation Vulnerability in Linux (Dirty Pipe)

Company already fixed vulnerability in QuTS hero h5.0.0.1949 build 20220215 and later, and will release security updates for QTS and QuTScloud ASAP.

This is a Press Release edited by StorageNewsletter.com on March 28, 2022 at 2:01 pm

Qnap Systems, Inc. had published a security advisory concerning fixing local privilege escalation vulnerability in Linux (Dirty Pipe).

Release date: March 14, 2022
Security ID: QSA-22-05
Severity: High
CVE identifier: CVE-2022-0847

Affected products:
All Qnap x86-based NAS and some Qnap ARM-based NAS running QTS 5.0.x, QuTS hero h5.0.x, and QuTScloud c5.0.x

Not affected products:
Qnap NAS running QTS 4.x and QuTS hero h4.x

Status: Fixing

Summary
A local privilege escalation vulnerability, also known as ‘dirty pipe’, has been reported to affect the Linux kernel on company’s NAS running QTS 5.0.x, QuTS hero h5.0.x, and QuTScloud c5.0.x. If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.

Following operating system versions are affected:

  • QTS 5.0.x on all Qnap x86-based NAS and certain ARM-based NAS
  • QuTS hero h5.0.x on all Qnap x86-based NAS and certain ARM-based NAS
  • QuTScloud c5.0.x

For a full list of the affected models, check ‘Kernel Version 5.10.60’

Company’s NAS running QTS 4.x and QuTS hero h4.x are not affected.

The firm have already fixed vulnerability in following versions of QuTS hero:

  • QuTS hero h5.0.0.1949 build 20220215 and later

The company will release security updates for QTS and QuTScloud as soon as possible.

Recommendation
Currently there is no mitigation available for this vulnerability. The firm recommend users to check back and install security updates as soon as they become available.

Updating QTS, QuTS hero, or QuTScloud

  1. Log on to QTS, QuTS hero, or QuTScloud as administrator.
  2. Go to Control Panel > System > Firmware Update.
  3. Under Live Update, click Check for Update.
    QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: User can also download the update from the company’s website. Go to Support > Download Center and then perform a manual update for your specific device.

Revision History:
V1.0 (March 11, 2022) – Published
V1.1 (March 23, 2022) – Security update for QuTS hero 5.0.x available

Read also :
Qnap Security Advisory
Investigating local privilege escalation vulnerability in Linux (Dirty Pipe)
March 21, 2022 | Press Release
Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E