QNAP warns severe Linux bug affects most of its NAS devices

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,520
Taiwanese hardware vendor QNAP warns most of its Network Attached Storage (NAS) devices are impacted by a high severity Linux vulnerability dubbed 'Dirty Pipe' that allows attackers with local access to gain root privileges.

The 'Dirty Pipe' security bug affects Linux Kernel 5.8 and later versions, even on Android devices. If successfully exploited, it allows non-privileged users to inject and overwrite data in read-only files, including SUID processes that run as root.

Security researcher Max Kellermann who found and reported the bug, also released a proof-of-concept (PoC) exploit that enables local users to modify configurations and gain higher privileges and access.
Dirty COW, a similar Linux vulnerability fixed in 2016, was previously used by malware to root Android devices and plant backdoors, although it was harder to exploit.

While a patch was released for the security flaw one week ago with Linux kernels versions 5.16.11, 5.15.25, and 5.10.102, QNAP says that its customers will have to wait until the company releases its own security updates.

"If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code," QNAP explained in a security advisory released today.
"Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available."