QNAP has warned users of a high severity vulnerability in the majority of its Network Attached Storage (NAS) devices.
First uncovered affecting Linux devices, the Dirty Pipe vulnerability grants low-privileged users, with local access, root privileges to the affected drives. That allows them to inject, or overwrite data, even in read-only files.
The flaw was discovered in the Linux Kernel from 5.8 onwards, and even includes Android devices. While there is no evidence of the vulnerability being exploited in the wild, there is a proof-of-concept, published by cybersecurity researcher Max Kellermann.
Mitigations and workarounds
QNAP said the patch for the bug has already been issued, for Linux versions 5.16.11, 5.15.25, and 5.10.102. QNAP users, however, will have to wait until the OEM releases its own patch.
“Currently there is no mitigation available for this vulnerability,” the company said in an announcement. “We recommend users to check back and install security updates as soon as they become available.”
Devices running QTS 5.0.x and QuTS hero h5.0.x, are affected. That includes QTS 5.0.x on all QNAP x86-based NAS, as well as some QNAP ARM-based NAS devices; and QuTS hero h5.0.x on all QNAP x86-based NAS and some QNAP ARM-based NAS devices
The full list of affected devices can be found here. NAS devices running QTS 4.x are not affected, nor vulnerable, the company confirmed.
QNAP has also released a temporary fix that users can use, as they wait for the official patch to hit the shelves. That includes disabling the Port Forwarding function of the router, as well as disabling the UPnP function of the QNAP NAS.
The company has also given a detailed explanation on how to off SSH and Telnet connections, change the system port number, update device passwords, and enable IP and account access protection. The instructions can be found here.