Dirty Pipe Linux Weakness and Why You and your Linux Based NAS Should Care?
For those that might not be aware, a vulnerability in Linux kernel 5.8 and above was disclosed by Max Kellerman last week and publically disclosed (with a proof of concept demonstrating the weakness) and this vulnerability was reported (tracked under CVE-2022-0847) and effectively allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. This Linux vulnerability is reported to be comparable to the Dirty CoW vulnerability found in Linux from 7 years ago (CVE-2016-5195) where an exploit was used for pushing malware onto software services. Full details on the public disclosure and demonstration of the vulnerability by Kellerman can be found here, but the larger impact of this is that there are many, MANY different software platforms around the world that utilize Linux as the base of their systems and alongside Android and smart home appliances, one big advocate of Linux kernel-based development is NAS storage providers in their systems and services. Now, on the plus side, Linux was incredibly quick to implement a patch on this and the vulnerability has been closed on Linux kernels 5.16.11, 5.15.25, and 5.10.102, however, most NAS servers use different versions of the Linux kernel, as well as roll out updates to their varied hardware systems in a most bespoke fashion. This leads to them potentially running outdated kernels and leaving a door open to this exploit, posing a significant issue to server administrators. We fully expect NAS brands to roll out updates where appropriate/applicable shortly to close this vulnerability, however, one consistent thread in the past when some NAS brands have been hit by ransomware/malware exploits is when vulnerabilities that are found in older software revisions are left unchecked by the end-user (ignoring brand updates or practising unsafe network security). So today, let’s discuss the dirty pipe vulnerability, how/if it affects Synology, QNAP, Asustor and Terramaster NAS platforms right now and what you should do right now to avoid any exploits being used on your system.
What is Dirty Pipe?
In brief, Dirty Pipe is a vulnerability in Linux Kernel 5.8 onwards that allows local users to inject their own data into sensitive read-only files, removing restrictions or modifying configurations to provide greater access than they usually would have. This was first registered and made publically known by Mark Kellerman and he gives an incredibly concise and detailed breakdown on the vulnerability, how he found it and it’s implications in this article by him.
“It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs they downloaded could not be decompressed. And indeed, there was a corrupt log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I could not explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file behind. I fixed the file’s CRC manually, closed the ticket, and soon forgot about the problem. “Months later, this happened again and yet again. Every time, the file’s contents looked correct, only the CRC at the end of the file was wrong. Now, with several corrupt files, I was able to dig deeper and found a surprising kind of corruption. A pattern emerged.”” Kellermann said.
A short while afterwards, a security advisor by the name of BLASTY updated this with an increasingly easier method of its execution and also publically disclosed it, highlighting just how much easier it made it to gain root privileges by patching the /usr/bin/su command to drop a root shell at /tmp/sh and then executing the script. This all means that it makes it possible for a user to gain admin authentication and system powers and can then execute malicious commands to the system.
— blasty (@bl4sty) March 7, 2022
These can range from malware to (the increasingly more likely) a ransomware action that would encrypt the contents of the system and demand a fee for it’s decryption. Now, the nature of this exploit at this time (for systems that have not or cannot update to the latest patch Linux kernel 5.16.11, 5.15.25, and 5.10.102 right now) is still limited as it would only be usable in the event of a targetted attack and/or the need for a further utility or application in the system to execute the follow-up command. Now the extent to which this affected NAS Drives from the popular off the shelf private server providers is actually surprisingly diverse and a big part of that comes down to how each NAS brand is utilizing Linux. More precisely, different NAS brands are running their NAS system software on differing kernels of linux that they update over time, as well as individual systems in their respective portfolio (for reasons of hardware and utility) also run slightly different revisions of Linux for their software, eg Synology and DSM, QNAP and QTS, Asustor and ADM, etc. So, how does this affect each NAS brand, if at all?
What is the Impact of Dirty Pipe on Synology NAS?
By the looks of things, Synology NAS and DSM 7/7.1 are not susceptible to the Dirty Pipe vulnerability. This is largely down to the Diskstation Manager software and services running on Linux kernel 4.4 (this will vary in subversion depending on the Synology NAS solution). The vulnerability that is executed is found in version 5.8 onwards and even if Synology update their platform to this linux revision in the near future, they would also use the patched revisions and therefore avoid the weakness. Indeed, a bold move by the brand themselves on Reddit when an official Synology rep on the /synology sub reddit made it abundantly clear (zero ambiguity) that the Synology NAS platform and DSM7 was not going to be touched by this:
This i further highlighted by the brand’s security advisory not even acknowledging this in any way HERE. Generally, Synology are s#!t hot on updating their advisories, so this is a very good sign and I would believe them on this (as well as the kernel versions backing this up).
What is the Impact of Dirty Pipe on QNAP NAS?
QNAP NAS, QTS and QuTS run a higher revision of the Linux kernel than Synology, which unfortunately means that this vulnerability (although targetted in design and closed in it’s scope). QNAP runs kernal 5.10.60 on it’s Prosumer, business and enterprise systems and kernal 4.2.8 on it’s more affordable/ARM systems. Once again, it is worth remembering that this si a vulnerability that was found in Linux, not QTS/QuTS, so not only is this something that is not QNAP’s fault but also that issuing a patch/firmware update for their software and services will not be immediate (as they run a modified linux platform and any update needs internal implementation and testing before rolling out). QNAP issued details on this remarkably quickly via their Security Advisory pages with an updated line on this and highlighted which systems in their portfolio were unaffected (running Linux Kernel 4.X onward) as well as ones that feature the affected linux revision that an update will be available for shortly. Here is a breakdown of what they said:
Release date: March 14, 2022
Security ID: QSA-22-05
CVE identifier: CVE-2022-0847
Affected products: All QNAP x86-based NAS and some QNAP ARM-based NAS running QTS 5.0.x and QuTS hero h5.0.x
Not affected products: QNAP NAS running QTS 4.x
A local privilege escalation vulnerability, also known as “dirty pipe”, has been reported to affect the Linux kernel on QNAP NAS running QTS 5.0.x and QuTS hero h5.0.x. If exploited, this vulnerability allows an unprivileged user to gain administrator privileges and inject malicious code. The following versions of QTS and QuTS hero are affected:
- QTS 5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS
- QuTS hero h5.0.x on all QNAP x86-based NAS and certain QNAP ARM-based NAS
For a full list of the affected models, please check “Kernel Version 5.10.60” in the following link: https://www.qnap.com/go/release-notes/kernel. QNAP is thoroughly investigating the vulnerability. We will release security updates and provide further information as soon as possible. Recommendation – Currently there is no mitigation available for this vulnerability. We recommend users to check back and install security updates as soon as they become available.
So, if you are curious if your system is running the affected linux kernel, you can find a list of QNAP NAS systems that feature 5.10.60 below:
QNAP are working on this right now and although an firmware update should be available quickly, I would recommend heading to the bottom of this article for recommendations on securing your storage and network setup either in the long term OR till an official patch is issued.
What is the Impact of Dirty Pipe on Asustor NAS?
In more positive news, not only is Asustor and ADM 4 not affected by the dirty pipe vulnerability but also the brand has been fantastically loud about this in their security advisory pages. This is one of those rare occasions where a brand has added an entry to their advisory pages for a vulnerability that is NOT impacting their systems. I kind of wish we saw more of this, as even if a brand is NOT affected by a weakness that is being reported on servers, users would rather be abundantly clear. You can find out more from Asustor’s security advisory pages HERE, but the details are available below:
Details – A flaw was found in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read-only files and as such escalate their privileges on the system.
Statement – None of ASUSTOR’s products are affected by CVE-2022-0847, this vulnerability issue only affects with Linux Kernel 5.8 and above. The Linux Kernel version built in ADM 4.0 is 5.4, and 4.14 in ADM 3.5.
So, they are making things remarkably clear that regardless of the current update/firmware status of your system, you are unaffected.
What is the Impact of Dirty Pipe on Terramaster NAS?
Details on the linux kernel that is utilized by Terramaster in their NAS systems in the current TOS 4 software that is available (As well as the TOS 5 beta) are still being investigated and I will update the article shortly with my findings. Early checks seem to indicate that TOS 4 is running on an earlier version of linux and therefore unaffected. However, I will confirm this and the TOS 5 beta status as soon as possible here in the article.
What Security Measures Should NAS Owners Take to Avoid Dirty Pipe?
Although the circumstances that need to execute this Linux dirty pipe vulnerability towards your NAS are quite restricted (classing this largely as a targetted attack, as a little bit more prior knowledge is needed about the targeted system in order to exploit it and execute code), this should still not leave users to remain complacent. Regardless of whether you are a QNAP, Synology, Asustor or Terramaster user, you should be actioning safe and secure working practices with your data – as well as ensuring that you have sufficient backups in place of your mission-critical and/or irreplaceable data! Here are some recommendations for your NAS setup to reduce the potential for you to be affected by any exploited vulnerability that could well be currently unidentified in your setup:
If you are concerned about being vulnerable to Dirty Pipe and want to ‘shut the doors’ a bit till a firmware update:
- Disable Port Forwarding
- Disable uPnP Auto Configuration Tools
- Disable SSH & Telnet Services
- Change Your Port Numbers
If you want to take a moment to do some security and access house-keeping:
- Disable Admin Accounts
- Enable Auto Updates
- Add 2-Step Verification
- Use Strong Passwords
- Limit App File/Folder Access to applications they do not need them
And finally, most important of all – GET YOUR BACKUPS IN ORDER!
I will repeat this as many times as it takes, but you should NOT be measuring the cost of your backups by the cost of the hardware. You should measure them by the COST to YOU if that data is permanently LOST! Additionally, if all your mission-critical/irreplaceable data is in ONE location (eg on the NAS, sent from your phones and PCs, then deleted from those to make space), then THAT IS NOT A BACKUP! That is the single repository of that data! Get a USB Backup in place, get a Backblaze Subscription HERE affordably or some cloud space in general, get another NAS – whatever it takes! If you need help arranging your NAS backups on your QNAP or Synology NAS, use the video guides below:
Finally, if you want to stay on top of the vulnerabilities that are publically disclosed on Synology, QNAP, Asustor or Terramaster, I STRONGLY recommend following and/or adding your email to the article below. We automatically crawl the security advisory pages from the top NAS brands and have created a single page that automatically lists and updates the status of known NAS vulnerabilities as soon as they are revealed.
Thanks for reading and let’s keep your data safe together!
LET ME KNOW ABOUT NEW POSTS
Enter your email address to subscribe to this blog and receive notifications of new posts by email.
Join 1,460 other subscribers
Get an alert every time something gets added to this specific article!
This description contains links to Amazon. These links will take you to some of the products mentioned in today's content. As an Amazon Associate, I earn from qualifying purchases. Visit the NASCompares Deal Finder to find the best place to buy this device in your region, based on Service, Support and Reputation - Just Search for your NAS Drive in the Box Below
SEARCH IN THE BOX BELOW FOR ANY OTHER NAS