“Dirty Pipe” Linux Flaw Affects a Wide Range of QNAP NAS Devices

One of Taiwan’s leading manufacturers of network storage systems, QNAP Systems, Inc. specializes in file sharing, virtualization, storage administration, and surveillance.

What Happened?

Network-attached storage (NAS) appliance manufacturer QNAP issued a warning on Monday about a newly reported Linux vulnerability that affects its products and that may be exploited to obtain administrative access and take control of vulnerable computers.

A local privilege escalation vulnerability, also known as “dirty pipe”, has been reported to affect the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x. If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.

The following versions of QTS and QuTS hero are affected:

QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS

For a full list of the affected models, please check “Kernel Version 5.10.60” in the following link: https://www.qnap.com/go/release-notes/kernel

QNAP NAS running QTS 4.x are not affected.

QNAP is thoroughly investigating the vulnerability. We will release security updates and provide further information as soon as possible.

Recommendation

Currently there is no mitigation available for this vulnerability. We recommend users to check back

Read More: https://heimdalsecurity.com/blog/a-linux-flaw-known-as-the-dirty-pipe-affects-a-wide-range-of-qnap-nas-devices/