Newly Discovered ’Dirty Pipe‘ Linux Vulnerability Affects Several QNAP NAS Devices

Network-attached storage (NAS) device manufacturer QNAP released a security advisory yesterday warning that a recently discovered Linux kernel vulnerability could be leveraged against its products.

“A local privilege escalation vulnerability, also known as "dirty pipe", has been reported to affect the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x,” according to QNAP’s statement. “If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code.”

The company released a complete list of models impacted by the flaw, and clarified that QNAP NAS devices running QTS 4.x are not affected. Therefore, users should only check the Kernel Version 5.10.60 models on the published list.

According to QNAP’s security advisory, only the following versions of QTS and QuTS hero are vulnerable to the kernel bug:

• QTS 5.0.x on QNAP x86 (32-bit) NAS and certain QNAP ARM-based NAS models
• QuTShero h5.0.x on QNAP x86 (32-bit) NAS and certain QNAP ARM-based NAS models

QNAP said it’s “thoroughly investigating the vulnerability” and “will release security updates and provide further information as soon as possible.”

For the time being, the company has announced no mitigation for this vulnerability but recommends users perform regular checks and install security updates as soon as possible to fend off cyberattacks.

Last week a researcher discovered a high-severity Linux kernel vulnerability that could let attackers use unprivileged processes to inject code into root processes to attain privilege escalation. The vulnerability, labeled as “Dirty Pipe,” is tracked as CVE-2022-0847, has a CVSS score of 7.8, and is believed to be around since kernel version 5.8, considering its similarities with “Dirty Cow,” a flaw discovered in October 2016.