The “Dirty Pipe” Linux kernel flaw – a high-severity vulnerability in all major distros that grants root access to unprivileged users who have local access – affects most of QNAP’s network-attached storage (NAS) appliances, the Taiwanese manufacturer warned on Monday.
Dirty Pipe, a recently reported local privilege-escalation vulnerability, affects the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x, QNAP advised. If exploited, an unprivileged, local user can gain admin privileges and inject malicious code.
The situation is grim: QNAP said that as of yesterday, there was no mitigation.
“Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available.” –QNAP
The following versions of QTS and QuTS hero are affected:
QNAP NAS running QTS 4.x aren’t affected. The company pointed users to a full list of the affected models: check “Kernel Version 5.10.60” in this link, it said in its advisory.
“QNAP is thoroughly investigating the vulnerability. We will release security updates and provide further information as soon as possible,” the advisory said.
As Bad as It Sounds
Security researcher Max Kellermann of CM4all discovered and reported the bug eight days ago. Tracked as CVE-2022-0847, the vulnerability has been in the Linux kernel since 5.8. Fortunately, the vulnerability has been fixed in Linux kernel 5.10.102, 5.15.25, and 5.16.11. If you’re at or above that version, you’re fine.
But as pointed out by Linux news site Linuxiac, Dirty Pipe doesn’t just threaten Linux machines: Since Android is based on the Linux kernel, any device running version 5.8 or later is also vulnerable, endangering a slew of people. Linuxiac pointed to the Google Pixel 6 and Samsung Galaxy S22 as examples: The massively popular phones use Linux kernel 5.10.43, which makes them vulnerable.
Dirty Pipe allows for overwriting of data in arbitrary read-only files, which leads to privilege escalation because unprivileged processes can inject code into root processes.
The Common Vulnerabilities and Exposures (CVE) database describes it as a “flaw in the way the ‘flags’ member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values.
“An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system,” according to the CVE description.
“If you’re not sure what that means but you think it sounds bad – you are correct!” MalwareBytes malware intelligence researcher Pieter Arntz wrote on Friday.
Keiderman offered a full technical analysis in his CM4all post. For his part, Arntz gave this TL;DR version: “The confusion in the Linux kernel is created by making use of the caching pages. Caching pages are temporary copies of files in a system’s memory that are created to make the handling of frequently used files faster. The vulnerability allows the attacker to make changes to the cached copy of a file that should be ‘read-only’ for a user without root permissions.
“In this way, it is possible for an attacker to gain root privileges, which ultimately allows him to take control of an affected system,” Arntz said.
QNAP Problems Redux
“Mike Parkin, senior technical engineer at Vulcan Cyber, told Threatpost on Tuesday that QNAP will hopefully release a kernel update quickly for the vulnerability. This is the second issue that the storage device vendor has reported recently, Parkin pointed out via email.”
In January, QNAP told users to immediately yank their internet-exposed NAS devices off the internet, as ransomware and brute-force attacks widely targeted all network devices.
“The Dirty Pipe vulnerability requires local user access to exploit, which does reduce the risk somewhat,” Parkin granted. But the Dirty Pipe issue again points out the need to make sure devices are “properly configured, maintained, and deployed in a manner that meets business needs while remaining secure,” he said.
“Ultimately systems need to be configured so they are only accessible by the people and systems that need access, and then only with the degree of access required to get the job done,” Parkin said.
That sounds about right to Hank Schless, senior manager of security solutions at Lookout.
NAS devices that provide storage and retrieval of data from a centralized location for authorized users and clients enable productivity, bringing the benefits of cloud computing inside networks, Schless said. The caveat: It also introduces “serious risk” if not done correctly, he added.
“Not only could attackers compromise the data within the particular resources they discover, but they could also move laterally around your network after initial compromise,” Schless told Threatpost on Tuesday. “Much like the main challenge with VPNs, which allow unbridled access to the infrastructure, NAS assets could act as a springboard for threat actors. It’s important to be able to segment access to particular apps, data, and resources to ensure that one compromised account or resource doesn’t lead to compromise of the entire infrastructure. This is a key reason that organizations use zero trust network access (ZTNA) as a piece of their modern security posture.”
People have been comparing Dirty Pipe to Dirty Cow. That’s an earlier privilege escalation vulnerability (CVE-2016-5195) that had already been in Linux for nine years – since 2007 – when it came under public attacks against web-facing Linux servers in 2016.
Dirty Pipe is similar to Dirty Cow, except that it’s worse: It’s easier to exploit, Keiderman said.
Vulcan Cyber’s Parkin noted that any exploit that gives root level access to a Linux system is “problematic.”
“An attacker that gains root gains full control over the target system and may be able to leverage that control to reach other systems,” he said.
The mitigating factor with this vulnerability is that it requires local access, which slightly lowers the risk, Parkin said. As well, the Dirty Pipe flaw has been fixed in the latest Linux kernel code, and patches should be available soon for the major distributions.
Privilege escalation is just the first step in attackers getting “full control” of a system, Parkin said. “Escalating privileges to root (POSIX family) or Admin (Windows) is often an attacker’s first priority when they gain access to a system, as it gives them full control of the target and can help them extend their foothold to other victims. That hasn’t changed for ages and is unlikely to change in the foreseeable future.”
Shweta Khare, cybersecurity evangelist at Delinea, told Threatpost that 2022 has already flung several serious, widespread bugs at us, including several Windows kernel, DNS server RCE, and Adobe vulnerabilities of high severity rating: bugs that let attackers gain elevated local system or admin privileges.
“Such OS bugs and application-level vulnerabilities can allow attackers to elevate privileges, move laterally inside the network, execute arbitrary code, and completely take over devices,” Khare noted via email.
The security expert said that containers offer a higher degree of security, but even they aren’t foolproof: “Recent incidents have demonstrated that containers are being exploited often via such vulnerabilities,” Khare said.
“In most organizations, microservices and containers are not yet covered under the enterprise security plan,” she said.
Khare advised that granular privilege management is one defense to minimize the risk exposure of these types of cyberattacks: “A Privileged Access Management (PAM) solution can secure container architectures to centrally manage user access rights and privileges to Linux Docker hosts, including hosts running CoreOS Container Linux,” she explained. “A best practice is to implement multi-factor authentication (MFA) and temporary privilege escalation to gain access to individual containers and container hosts. Enabling granular privilege management at the container platform and the container operating system layers across the development environments provides the best option for container security.”
031522 13:46 UPDATE: Corrected Shweta Khare’s pronouns.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.