NAS Vendor Says Several of Its Products Likely Contain Linux Dirty Pipe Flaw

  /     /     /  
Publicated : 23/11/2024   Category : security


NAS Vendor Says Several of Its Products Likely Contain Linux Dirty Pipe Flaw


QNAPs disclosure this week is the latest reminder of the potentially wide impact of privilege escalation flaw in the Linux kernel.



Taiwan-based network attached storage (NAS) device vendor QNAP has identified several of its products as potentially containing a severe Linux vulnerability dubbed Dirty Pipe, which was first disclosed last week.
QNAPs announcement is the latest indication of the potentially wide scope of Dirty Pipe, a privilege escalation flaw that exists in all Linux kernels from version 5.8 through versions before Linux 5.16.11, 5.15.25, and 5.10.102. Security researcher Max Kellerman discovered the flaw [
CVE-2022-0847
] when investigating a support ticket involving corrupt files at a customer location. Kellerman released a proof-of-concept exploit for it last week, along with an
explanation
of the issue.
The flaw has been addressed in all of the latest Linux kernel versions. So far, there have been no reports of the Dirty Pipe vulnerability being exploited in the wild. However, the fact that the flaw exists on every Linux device running version 5.8 or later of the kernel — including new
Android 12 devices
such as Google Pixel 6 and Galaxy S22 running Android 12 — and the fact that it can be exploited in multiple ways has prompted concern. The US Cybersecurity and Infrastructure Security Agency (CISA) was among those
urging organizations
to review details of the Dirty Pipe flaw and to update to the new fixed versions of the kernel.
This vulnerability allows a local user without privileges to gain root privileges, such as unauthorized creation of new [scheduling tasks], SUID binary hijacking, password modification, and so on, says Yaroslav Shmelev, security researcher at Kaspersky, which analyzed the flaw and released a
report
on it last week.
After gaining superuser rights, the attacker can gain access to all data stored in the system, Shmelev says. The attacker can also obtain persistent root access on a compromised system, remove all traces of their presence in the system, and change privileged system services to capture user credentials, he says.
QNAP described impacted products as including all of its x86-based NAS and some QNAP ARM-based NAS devices running operating systems QTS 5.0.x and QuTS hero h5.0.x.
In an
advisory
, the vendor describes the vulnerability as giving an unprivileged user the ability to gain administrative privileges and inject arbitrary code into vulnerable systems. QNAP says no mitigations are currently available for the vulnerability and urged users of affected devices to check back and install the companys security updates as soon as they become available.
QNAP is thoroughly investigating the vulnerability, the company noted. We will release security updates and provide further information as soon as possible.
Kellerman described the Dirty Pipe flaw as similar to, but easier to exploit than, another privilege escalation Linux kernel flaw from 2016 named Dirty Cow (
CVE-2016-5195)
. That bug was tied to how the Linux kernels memory subsystem handled a so-called copy-on-write (COW) function. Like the newly reported Linux flaw, Dirty Cow impacted a large swathe of systems — including Android devices — based on certain versions of the operating system. Nearly six years after Dirty Cow was disclosed, exploits for it continue to be in
high demand
in the cyber underground because of the number of vulnerable systems and devices that remain unpatched.
According to Kellerman, the Linux Kernel Dirty Pipe flaw basically allows data in arbitrary read-only files to be overwritten. This gives attackers a way to inject malicious code into root processes and escalate privileges. Kasperskys Shmelev says the vulnerability occurs due to a flaw in the Linux kernel, which results in pipes that are used for interprocess communications to operate incorrectly.
Exploitation of this vulnerability happens during creation of said pipe and during the execution of certain actions, Shmelev says. [The flaw creates] a situation in which the perpetrator gains the ability to replace the content of any files, which are accessible in read-only mode and thus escalate privileges on the system.
Straightforward to Exploit the Linux Flaw
The availability of a functioning Dirty Pipe exploit on various sites and repositories has made it straightforward for attackers to exploit the flaw. It is enough to compile the source code of the exploit and launch the executable file on the device that is being attacked, Shmelev says.
Necessary security updates are available in many Linux distributions and can be launched as regular Linux kernel updates to patch the flaw, he adds.
This is a privilege escalation vulnerability that requires local access in order to be exploited, says Giovanni Vigna, senior director of threat intelligence at VMware. Therefore, restricting access to Linux servers on a strict need-to basis is a good general practice that would mitigate this particular attack, he says.
Combining this approach with network segmentation can limit the scope and reach of a breach, involving the Dirty Pipe flaw, he adds.
Vulnerabilities like Dirty Pipe are a growing concern because of the widespread use of Linux in cloud environments and the growing volume and complexity of Linux malware. A recent study by VMware showed that Linux currently powers some 78% of the most popular websites on the Internet, making the operating system a popular target for threat actors. At the same time, VMware found relatively few tools were available for detecting Linux-directed threats because of a lack of focus on the operating system among makers of anti-malware products.
It is therefore not surprising that attacks that monetize data, such as ransomware, and CPU resources, such as cryptominers, have found a fertile ground in these environments, Vigna says. He points to REvil, DarkSide, and Defray as examples of Linux-based ransomware that, in particular, target cloud workloads.
These used to be Windows-based threats that evolved into Linux versions to widen their target scope, he says. As cybercriminals realize that there are large monetization opportunities in Linux-based environments, it is likely that Linux-based threats will keep increasing in frequency and sophistication.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
NAS Vendor Says Several of Its Products Likely Contain Linux Dirty Pipe Flaw