Taiwanese network storage (NAS) manufacturer QNAP has warned its users that several of its products potentially contain a serious vulnerability in Linux, known as Dirty Pipe.
The Dirty Pipe privilege escalation vulnerability (CVE-2022-0847) in Linux kernel versions from 5.8 to Linux 5.16.11, 5.15.25, and 5.10.102 was discovered last week. The problem allows a local user without privileges to get superuser rights.
The vulnerability has been fixed in all recent kernel versions. At the moment there is no evidence of its exploitation by hackers in real attacks. However, the fact that the vulnerability is present in every Linux device, including new smartphones running Android 12, is worrying.
The problem affects all x86-based QNAP network storage and some ARM-based devices with QTS 5.0.x and QuTS hero h5.0.x operating systems.
The vulnerability allows an unprivileged user to gain administrator rights and inject arbitrary code into vulnerable NAS. According to QNAP, there are currently no ways to bypass the vulnerability, and the only way to protect devices from its exploitation is to install the latest updates as soon as they become available.
Currently, QNAP is carefully studying the vulnerability and preparing fixes.