QNAP has warned users of a high severity vulnerability in the majority of its Network Attached Storage (NAS) devices.
First uncovered affecting Linux devices, the Dirty Pipe vulnerability grants low-privileged users, with local access, root privileges to the affected drives. That allows them to inject, or overwrite data, even in read-only files.
The flaw was discovered in the Linux Kernel from 5.8 onwards, and even includes Android devices. While there is no evidence of the vulnerability being exploited in the wild, there is a proof-of-concept, published by cybersecurity researcher Max Kellermann.
We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.
Mitigations and workarounds
QNAP said the patch for the bug has already been issued, for Linux versions 5.16.11, 5.15.25, and 5.10.102. QNAP users, however, will have to wait until the OEM releases its own patch.
"Currently there is no mitigation available for this vulnerability,” the company said in an announcement. “We recommend users to check back and install security updates as soon as they become available."
Devices running QTS 5.0.x and QuTS hero h5.0.x, are affected. That includes QTS 5.0.x on all QNAP x86-based NAS, as well as some QNAP ARM-based NAS devices; and QuTS hero h5.0.x on all QNAP x86-based NAS and some QNAP ARM-based NAS devices
The full list of affected devices can be found here. NAS devices running QTS 4.x are not affected, nor vulnerable, the company confirmed.
QNAP has also released a temporary fix that users can use, as they wait for the official patch to hit the shelves. That includes disabling the Port Forwarding function of the router, as well as disabling the UPnP function of the QNAP NAS.
The company has also given a detailed explanation on how to off SSH and Telnet connections, change the system port number, update device passwords, and enable IP and account access protection. The instructions can be found here.
- Here's our rundown of the best cloud storage out there
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.