The vulnerability affects most of the company’s NAS devices.
Taiwan-based hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed ‘Dirty Pipe‘ that allows attackers with local access to gain root privileges.
The ‘Dirty Pipe’ security bug affects Linux Kernel 5.8 and later versions, even on Android devices. If successfully exploited, it allows non-privileged users to inject and overwrite data in read-only files, including SUID processes that run as root.
Security researcher Max Kellermann discovered the bug after tracking down a bug that was corrupting web server access logs for one of his customers. Kellerman states that the vulnerability is similar to the Dirty COW vulnerability (CVE-2016-5195) fixed in 2016.
As part of the Dirty Pipe disclosure, Kellerman released a proof-of-concept (PoC) exploit that allows local users to inject their own data into sensitive read-only files, removing restrictions or modifying configurations to provide greater access than they usually would have.
For example, security researcher Phith0n illustrated how they could use the exploit to modify the /etc/passwd file so that the root user does not have a password. Once this change is made, the non-privileged user could simply execute the ‘
su root‘ command to gain access to the root account.
“No mitigation available”
A patch was released for the security flaw one week ago with Linux kernels versions 5.16.11, 5.15.25, and 5.10.102. But QNAP says that its customers will have to wait until the company releases its own security updates.
The company says that the bug impacts devices running QTS 5.0.x and QuTS hero h5.0.x. This includes QTS 5.0.x on all QNAP x86-based NAS, and certain QNAP ARM-based NAS.
The vulnerability also impacts QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS.
“If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code,” QNAP explained in a security advisory released on Monday.
“Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available.”