What are you looking for ?
Mobile Search Icon
Mobile Menu Icon
Advertise with us
RAIDON

Qnap Resolved Vulnerability Security Advisory | Bulletin ID: QSA-22-05

Concerning local privilege escalation vulnerability in Linux (Dirty Pipe)

This is a Press Release edited by StorageNewsletter.com on May 18, 2022 at 2:01 pm

Qnap Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.

Use the following information and solutions to correct the security issues and vulnerabilities.

Local privilege escalation vulnerability in Linux (Dirty Pipe)
Release date: March 14, 2022
Security ID: QSA-22-05 
SeverityHigh 
CVE identifier: CVE-2022-0847 
Affected products: All Qnap x86-based NAS and some Qnap ARM-based NAS running QTS 5.0.x, QuTS hero h5.0.x, and QuTScloud c5.0.x 
Not affected products: Qnap NAS running QTS 4.x and QuTS hero h4.x 
Status: Resolved

Summary
A local privilege escalation vulnerability, also known as ‘dirty pipe’, has been reported to affect the Linux kernel on company’s NAS running QTS 5.0.x, QuTS hero h5.0.x, and QuTScloud c5.0.x. If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.

Following operating system versions are affected:

  • QTS 5.0.x on all Qnap x86-based NAS and certain Qnap ARM-based NAS

  • QuTS hero h5.0.x on all Qnap x86-based NAS and certain Qnap ARM-based NAS

  • QuTScloud c5.0.x

For a full list of the affected models, check ‘Kernel Version 5.10.60’.

NAS running QTS 4.x and QuTS hero h4.x are not affected.

The company have already fixed vulnerability in following OS versions:

  • QTS 5.0.0.1986 build 20220324 and later

  • QuTS hero h5.0.0.1986 build 20220324 and later

  • QuTScloud c5.0.1.1998 and later

The firm will release a security update for QuTScloud as soon as possible.

Recommendation
Currently there is no mitigation available for this vulnerability. The company recommend users to check back and install security updates as soon as they become available.

Updating QTS, QuTS hero, or QuTScloud

  1. Log on to QTS, QuTS hero, or QuTScloud as administrator.

  2. Go to Control Panel > System > Firmware Update.

  3. Under Live Update, click Check for Update
    QTS, QuTS hero, or QuTScloud downloads and installs the latest available update.

Tip: You can also download the update from the company’s website. Go to Support > Download Center and then perform a manual update for your specific device.

Revision history: 
V1.0 (March 11, 2022) – Published 
V1.1 (March 23, 2022) – Security update for QuTS hero 5.0.x available 
V1.2 (March 31, 2022) – Security update for QTS 5.0.0 available 
V2.0 (May 11, 2022) – Modify security update for QuTScloud c5.0.1

Questions regarding this issue

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E