QNAP reported that many of its NAS systems are vulnerable to a previously discovered Dirty Pipe bug. This error makes Franchise Escalation Possible when attackers access the system locally. The company will later release patches to its systems.
QNAP . writes that many of its systems are prone to error that Already detected† All x86 NAS systems running QTS version 5.0 or QuTS hero h5.0 or later are at risk. The same goes for “certain” Arm models with those OS versions. QNAP systems running QTS 4 are not at risk.
The vulnerability is present in all versions of Linux kernel from 5.8 onwards. makes a mistake Escalation of local franchise possible. This allows attackers with local access to the NAS system to run commands as root and enter their own code. The vulnerability cannot be exploited remotely.
Weakness in dirty pipes is referred to as CVE-2022-0847† This is a bug in the Linux kernel’s pipe buffer structure that attackers can exploit to navigate to pages in the Linux kernel. Page cache To obtain admin rights on the system. The update has since been patched into the Linux kernel.
QNAP gives the vulnerability a “high” severity level. The company says it is investigating the vulnerability. The NAS manufacturer will later release more information and security updates to its systems that fix the vulnerability. It is not known exactly when that will happen.
Update, 11.12: The article explained that it is a Linux vulnerability and not just a bug in QNAP systems.