Taiwanese company Qnap warns users that the recently discovered Dirty Pipe problem in Linux, which allows attackers to gain root privileges, affects most NAS companies.
The Dirty Pipe issue (CVE-2022-0847; CVSS score 7.8) became known in early March 2022. The vulnerability appeared in the Linux kernel code back in version 5.8 (even on devices running Android) and was only recently fixed in versions 5.16.11, 5.15.25 and 5.10.102.According to expert Max Kellermann, who discovered the bug, the vulnerability is almost similar to another high-profile problem, Dirty COW (CVE-2016-5195), which was fixed back in 2016. Essentially, Dirty Pipe allows an unprivileged local user to embed and overwrite data in read-only files, including SUID processes running as root.
Worse, a PoC exploit for the vulnerability was published earlier this month that allows local users to inject their own data into sensitive read-only files by removing restrictions or changing the configuration in such a way as to provide themselves with wider access than they should.
Although the patches are already released, Qnap writes that its customers will have to wait for the fixes.
The bulletin also recommends that customers temporarily block any attempts to access the NAS locally.
At the same time, the vulnerability poses a threat to a very wide range of devices, including devices with QTS 5.0.x and QuTS hero h5.0.x on board, including:
- QTS 5.0.x on all QNAP x86 based NAS and some QNAP ARM based NAS;
- QuTS hero h5.0.x on all QNAP x86 based NAS and some QNAP ARM based NAS.
The full list of vulnerable models can be seen here, in the “Kernel Version 5.10.60” column. At the same time, Qnap emphasizes that devices running QTS 4.x are not affected by the new problem.
As a reminder, we also reported that Attackers use a three-year-old RCE bug to install backdoors in Qnap NAS.
