Taiwan-based network-attached storage (NAS) vendor QNAP has identified several of its products as potentially containing a serious Linux vulnerability called “Dirty Pipe”, which was first disclosed last week.
QNAP’s announcement is the latest indication of the potentially wide scope of Dirty Pipe, a privilege escalation flaw that exists in all Linux kernels from version 5.8 to versions prior to Linux 5.16.11, 5.15.25, and 5.10 .102. Security researcher Max Kellerman discovered the flaw [CVE-2022-0847] when investigating a support ticket involving corrupt files at a customer. Kellerman released a proof-of-concept exploit last week, along with an explanation of the problem.
The flaw has been fixed in all the latest versions of the Linux kernel. So far, there have been no reports of the Dirty Pipe vulnerability being exploited in the wild. However, the fact that the flaw exists on every Linux device running kernel version 5.8 or later – including newer ones. Android 12 devices such as Google Pixel 6 and Galaxy S22 running Android 12 – and the fact that it could be exploited in multiple ways has raised concerns. The US Cybersecurity and Infrastructure Security Agency (CISA) was among those urging organizations to review the details of the Dirty Pipe flaw and update to new patched versions of the kernel.
“This vulnerability allows an unprivileged local user to gain root privileges, such as the unauthorized creation of new [scheduling tasks]SUID binary hijacking, password modification, etc. says Yaroslav Shmelev, a security researcher at Kaspersky, who analyzed the flaw and published a report on it last week.
After gaining superuser rights, the attacker can access all data stored in the system, Shmelev explains. The attacker can also gain persistent root access to a compromised system, delete all traces of their presence in the system, and modify privileged system services to capture user credentials, he says.
QNAP described the affected products as including all of its x86-based NAS and some QNAP ARM-based NAS devices running QTS 5.0.x and QuTS hero h5.0.x operating systems.
In an advisory, the vendor describes the vulnerability as giving an unprivileged user the ability to gain administrative privileges and inject arbitrary code into vulnerable systems. QNAP says no mitigation is currently available for the vulnerability and urged users of affected devices to check and install company security updates as soon as they become available.
“QNAP is thoroughly investigating the vulnerability,” the company noted. “We will release security updates and provide further information as soon as possible.”
Kellerman described the Dirty Pipe flaw as similar, but easier to exploit, than another privilege escalation Linux kernel flaw from 2016 named “Dirty Cow” (CVE-2016-5195). This bug was related to the way the Linux kernel’s memory subsystem handled a so-called copy-on-write (COW) function. Like the recently reported Linux flaw, Dirty Cow has impacted a wide range of systems – including Android devices – based on certain versions of the operating system. Nearly six years after Dirty Cow’s disclosure, its exploits continue to be in high demand in the cyber underground due to the number of vulnerable systems and devices that remain unpatched.
According to Kellerman, the Linux Kernel Dirty Pipe flaw essentially allows data to be overwritten in arbitrary read-only files. This gives attackers a way to inject malicious code into root processes and elevate privileges. Kaspersky’s Shmelev claims the vulnerability is caused by a flaw in the Linux kernel, which causes “channels” used for interprocess communications to function incorrectly.
“The exploitation of this vulnerability occurs when creating said channel and when performing certain actions,” says Shmelev. “[The flaw creates] a situation in which the author gains the ability to replace the contents of all files, which are accessible in read-only mode” and thereby elevate privileges on the system.
Simple to exploit the Linux flaw
The availability of a working Dirty Pipe exploit on various sites and repositories made it easy for attackers to exploit the flaw. “You just have to compile the source code of the exploit and run the executable file on the attacked device,” says Shmelev.
The necessary security updates are available in many Linux distributions and can be rolled out as regular Linux kernel updates to fix the flaw, he adds.
“This is a privilege escalation vulnerability that requires local access to exploit,” said Giovanni Vigna, senior director of threat intelligence at VMware. “Therefore, restricting access to Linux servers on a strictly necessary basis is a general good practice that would mitigate this particular attack,” he said.
Combining this approach with network segmentation can limit the scope and reach of a breach, involving the Dirty Pipe flaw, he adds.
Vulnerabilities such as Dirty Pipe are a growing concern due to the widespread use of Linux in cloud environments and the growing volume and complexity of Linux malware. A recent VMware study showed that Linux currently powers around 78% of the most popular websites on the Internet, making the operating system a popular target for threat actors. At the same time, VMware found that relatively few tools were available to detect Linux-led threats due to the lack of attention paid to the operating system by manufacturers of anti-malware products.
“So it’s no surprise that attacks that monetize data, such as ransomware, and CPU resources, such as cryptominers, have found fertile ground in these environments,” says Vigna. He cites REvil, DarkSide, and Defray as examples of Linux-based ransomware that, in particular, targets cloud workloads.
“These were previously Windows-based threats that evolved into Linux flavors to expand their target reach,” he says. “As cybercriminals realize there are great monetization opportunities in Linux-based environments, it’s likely that Linux-based threats will continue to increase in frequency and sophistication.”