Network Attached Storage manufacturer QNAP has issued a security advisory warning that its devices may be vulnerable to the Dirty Pipe Linux vulnerability.
The warning covers QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS, and QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS. QNAP NAS boxes running QTS 4.x are not affected. QNAP has a handy list online specifying which kernel version each of its storage systems uses, so you can quickly check if you’re likely to be affected.
QNAP’s advisory notice, which has a severity rating of high (one down from critical, the highest level) and which is still being investigated at the time of writing, warns: “If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.”
As we reported last week, Dirty Pipe affects all Linux kernels, including Android, between 5.8 and 5.10.122, which has received a fix. Kernels 5.16.11 and 5.15.25 are similarly secure. The vulnerability is named CVE-2022-0847 in the National Vulnerability Database, which describes how a hacker with local access to your machine can exploit a flaw “in the way the ‘flags’ member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.” Which is bad.
Luckily, the fix is already in place, so QNAP is recommending users wait for a security update, as “there is no mitigation available for this vulnerability”. There's no mention of taking their devices offline - or at least not exposing them to the internet - as there was when the Deadbolt ransomware hit QNAP devices, among others, earlier this year.
QNAP has been speedy with such updates in the past, with the patch to prevent and remove Deadbolt arriving just eight days after the malware, which hijacked the NAS login page and encrypted files, began to infect systems.