NAS Vendor Says Several of Its Products Likely Contain Linux 'Dirty Pipe' Flaw

Taiwan-based network attached storage (NAS) device vendor QNAP has identified several of its products as potentially containing a severe Linux vulnerability dubbed "Dirty Pipe," which was first disclosed last week.

QNAP's announcement is the latest indication of the potentially wide scope of Dirty Pipe, a privilege escalation flaw that exists in all Linux kernels from version 5.8 through versions before Linux 5.16.11, 5.15.25, and 5.10.102. Security researcher Max Kellerman discovered the flaw [CVE-2022-0847] when investigating a support ticket involving corrupt files at a customer location. Kellerman released a proof-of-concept exploit for it last week, along with an explanation of the issue.

The flaw has been addressed in all of the latest Linux kernel versions. So far, there have been no reports of the Dirty Pipe vulnerability being exploited in the wild. However, the fact that the flaw exists on every Linux device running version 5.8 or later of the kernel — including new Android 12 devices such as Google Pixel 6 and Galaxy S22 running Android 12 — and the fact that it can be exploited in multiple ways has prompted concern. The US Cybersecurity and Infrastructure Security Agency (CISA) was among those urging organizations to review details of the Dirty Pipe flaw and to update to the new fixed versions of the kernel.

"This vulnerability allows a local user without privileges to gain root privileges, such as unauthorized creation of new [scheduling tasks], SUID binary hijacking, password modification, and so on," says Yaroslav Shmelev, security researcher at Kaspersky, which analyzed the flaw and released a report on it last week.

After gaining superuser rights, the attacker can gain access to all data stored in the system, Shmelev says. The attacker can also obtain persistent root access on a compromised system, remove all traces of their presence in the system, and change privileged system services to capture user credentials, he says.

QNAP described impacted products as including all of its x86-based NAS and some QNAP ARM-based NAS devices running operating systems QTS 5.0.x and QuTS hero h5.0.x.

In an advisory, the vendor describes the vulnerability as giving an unprivileged user the ability to gain administrative privileges and inject arbitrary code into vulnerable systems. QNAP says no mitigations are currently available for the vulnerability and urged users of affected devices to check back and install the company's security updates as soon as they become available.

"QNAP is thoroughly investigating the vulnerability," the company noted. "We will release security updates and provide further information as soon as possible."

Kellerman described the Dirty Pipe flaw as similar to, but easier to exploit than, another privilege escalation Linux kernel flaw from 2016 named "Dirty Cow" (CVE-2016-5195). That bug was tied to how the Linux kernel's memory subsystem handled a so-called copy-on-write (COW) function. Like the newly reported Linux flaw, Dirty Cow impacted a large swathe of systems — including Android devices — based on certain versions of the operating system. Nearly six years after Dirty Cow was disclosed, exploits for it continue to be in high demand in the cyber underground because of the number of vulnerable systems and devices that remain unpatched.

According to Kellerman, the Linux Kernel Dirty Pipe flaw basically allows data in arbitrary read-only files to be overwritten. This gives attackers a way to inject malicious code into root processes and escalate privileges. Kaspersky's Shmelev says the vulnerability occurs due to a flaw in the Linux kernel, which results in "pipes" that are used for interprocess communications to operate incorrectly.

"Exploitation of this vulnerability happens during creation of said pipe and during the execution of certain actions," Shmelev says. "[The flaw creates] a situation in which the perpetrator gains the ability to replace the content of any files, which are accessible in read-only mode" and thus escalate privileges on the system.

Straightforward to Exploit the Linux Flaw
The availability of a functioning Dirty Pipe exploit on various sites and repositories has made it straightforward for attackers to exploit the flaw. "It is enough to compile the source code of the exploit and launch the executable file on the device that is being attacked," Shmelev says.

Necessary security updates are available in many Linux distributions and can be launched as regular Linux kernel updates to patch the flaw, he adds.

"This is a privilege escalation vulnerability that requires local access in order to be exploited," says Giovanni Vigna, senior director of threat intelligence at VMware. "Therefore, restricting access to Linux servers on a strict need-to basis is a good general practice that would mitigate this particular attack," he says.

Combining this approach with network segmentation can limit the scope and reach of a breach, involving the Dirty Pipe flaw, he adds.

Vulnerabilities like Dirty Pipe are a growing concern because of the widespread use of Linux in cloud environments and the growing volume and complexity of Linux malware. A recent study by VMware showed that Linux currently powers some 78% of the most popular websites on the Internet, making the operating system a popular target for threat actors. At the same time, VMware found relatively few tools were available for detecting Linux-directed threats because of a lack of focus on the operating system among makers of anti-malware products.

"It is therefore not surprising that attacks that monetize data, such as ransomware, and CPU resources, such as cryptominers, have found a fertile ground in these environments," Vigna says. He points to REvil, DarkSide, and Defray as examples of Linux-based ransomware that, in particular, target cloud workloads.

"These used to be Windows-based threats that evolved into Linux versions to widen their target scope," he says. "As cybercriminals realize that there are large monetization opportunities in Linux-based environments, it is likely that Linux-based threats will keep increasing in frequency and sophistication."