QNAP Issues Warning Over Dirty Pipe Linux Exploit

Tux the penguin pops out of a pipe
(Image credit: Hemin Suthar )

Network Attached Storage manufacturer QNAP has issued a security advisory (opens in new tab) warning that its devices may be vulnerable to the Dirty Pipe Linux vulnerability.

The QNAP TS-364

(Image credit: QNAP)

The warning covers QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS, and QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS. QNAP NAS boxes running QTS 4.x are not affected. QNAP has a handy list (opens in new tab) online specifying which kernel version each of its storage systems uses, so you can quickly check if you’re likely to be affected. 

QNAP’s advisory notice, which has a severity rating of high (one down from critical, the highest level) and which is still being investigated at the time of writing, warns: “If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.”

As we reported last week (opens in new tab), Dirty Pipe affects all Linux kernels, including Android, between 5.8 and 5.10.122, which has received a fix. Kernels 5.16.11 and 5.15.25 are similarly secure. The vulnerability is named CVE-2022-0847 (opens in new tab) in the National Vulnerability Database,  which describes how a hacker with local access to your machine can exploit a flaw “in the way the ‘flags’ member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.” Which is bad.

Luckily, the fix is already in place, so QNAP is recommending users wait for a security update, as “there is no mitigation available for this vulnerability”. There's no mention of taking their devices offline - or at least not exposing them to the internet -  as there was when the Deadbolt ransomware hit QNAP devices (opens in new tab), among others (opens in new tab), earlier this year.

QNAP has been speedy with such updates in the past, with the patch (opens in new tab) to prevent and remove Deadbolt arriving just eight days after the malware, which hijacked the NAS login page and encrypted files, began to infect systems.

Ian Evenden
Freelance News Writer

Ian Evenden is a UK-based news writer for Tom’s Hardware US. He’ll write about anything, but stories about Raspberry Pi and DIY robots seem to find their way to him.