Network Attached Storage manufacturer QNAP has issued a security advisory warning that its devices may be vulnerable to the Dirty Pipe Linux vulnerability.
The warning covers QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS, and QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS. QNAP NAS boxes running QTS 4.x are not affected. QNAP has a handy list online specifying which kernel version each of its storage systems uses, so you can quickly check if you’re likely to be affected.
QNAP’s advisory notice, which has a severity rating of high (one down from critical, the highest level) and which is still being investigated at the time of writing, warns: “If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.”
As we reported last week, Dirty Pipe affects all Linux kernels, including Android, between 5.8 and 5.10.122, which has received a fix. Kernels 5.16.11 and 5.15.25 are similarly secure. The vulnerability is named CVE-2022-0847 in the National Vulnerability Database, which describes how a hacker with local access to your machine can exploit a flaw “in the way the ‘flags’ member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.” Which is bad.
Luckily, the fix is already in place, so QNAP is recommending users wait for a security update, as “there is no mitigation available for this vulnerability”. There's no mention of taking their devices offline - or at least not exposing them to the internet - as there was when the Deadbolt ransomware hit QNAP devices, among others, earlier this year.
QNAP has been speedy with such updates in the past, with the patch to prevent and remove Deadbolt arriving just eight days after the malware, which hijacked the NAS login page and encrypted files, began to infect systems.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
Ian Evenden is a UK-based news writer for Tom’s Hardware US. He’ll write about anything, but stories about Raspberry Pi and DIY robots seem to find their way to him.
Chinese foundry SMIC is bruised but not broken by U.S. sanctions — revenue still much higher than in 2021 and 5nm node on track
HP begins subscription plans for its printers and ink — up to $36 per month, includes limits and cancellation fees
Analyst estimates Nvidia is now TSMC's second largest customer accounting for 11% of revenue in 2023