Security News > 2022 > March > 'Dirty Pipe' Linux Flaw Affects a Wide Range of QNAP NAS Devices

'Dirty Pipe' Linux Flaw Affects a Wide Range of QNAP NAS Devices
2022-03-15 21:05

Network-attached storage appliance maker QNAP on Monday warned of a recently disclosed Linux vulnerability affecting its devices that could be abused to elevate privileges and gain control of affected systems.

"A local privilege escalation vulnerability, also known as 'Dirty Pipe,' has been reported to affect the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x," the company said.

The Taiwanese firm said it's continuing to thoroughly investigate its product line for the vulnerability and that there's no QNAP NAS running QTS 4.x are immune to the Dirty Pipe flaw.

Tracked as CVE-2022-0847, the shortcoming resides in the Linux kernel that could permit an attacker to overwrite arbitrary data into any read-only files and allow for a complete takeover of vulnerable machines.

The issue has since been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102 as of February 23, 2022, three days after it was reported to the Linux kernel security team.

"Currently there is no mitigation available for this vulnerability," the company added.


News URL

https://thehackernews.com/2022/03/dirty-pipe-linux-flaw-affects-wide.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-10 CVE-2022-0847 Improper Initialization vulnerability in multiple products
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values.
7.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Linux 11 64 2532 1569 67 4232
Qnap 80 4 97 122 76 299