QNAP devices vulnerable to Dirty Pipe Linux exploit

Overview

A vulnerability in the Linux kernel (CVE-2022-0847) would allow a user to overwrite data in read-only files. The bug affects versions from 5.8, including Android devices.

QNAP have confirmed that their NAS devices are vulnerable, with no patch available.

Impact

An unprivileged local Linux user could use this flaw to escalate their privileges on the system.

Vulnerability Detection

Check the running kernel version.

Affected Products

Dirty Pipe affects Linux kernel versions prior to 5.17-rc6.

– QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS.
– QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS.

Containment, Mitigations & Remediations

There is currently no patch available but, when there is, it should be applied as an emergency change.
Access to the device should be controlled by network security access controls.

Indicators of Compromise

None

Threat Landscape

There has been a string of local privilege escalation (LPE) vulnerabilities in Linux lately, including the polkit exploit, and one in eBPF.

Linux LPEs are mostly a concern for shared hosting providers who grant users unprivileged access to servers. Unpatched Network Attached Storage devices will be of interest to ransomware groups looking to get around access controls.

Mitre Methodologies

T1068– Exploitation for Privilege Escalation

Further Information

Local Privilege Escalation Vulnerability in Linux (Dirty Pipe)

The Dirty Pipe Vulnerability