Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)

Featured Replies

Search shows zero mentions of CVE-2022-0847 on the forums, so I'm starting a new thread. This is a privilege escalation vulnerability introduced in Linux Kernel 5.8. It is fixed in 5.16.11, 5.15.25, and 5.10.102. Unraid OS 6.9.2 runs Kernel 5.10.28, so the current release of Unraid is vulnerable.

 

Can we get a patch for this?

 

Resources

https://dirtypipe.cm4all.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847

https://arstechnica.com/information-technology/2022/03/linux-has-been-bitten-by-its-most-high-severity-vulnerability-in-years/

  • k2U79!KvW9AXpwAc changed the title to Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)

How would this specific exploit work in Unraid? Unlike typical linux installs, ONLY root is allowed console login, so no privilege escalation attack from that vector, right?

 

Since Unraid operates so differently from normal setups, I'm having a hard time picturing how this effects us.

  • Author
3 minutes ago, JonathanM said:

How would this specific exploit work in Unraid? Unlike typical linux installs, ONLY root is allowed console login, so no privilege escalation attack from that vector, right?

 

Since Unraid operates so differently from normal setups, I'm having a hard time picturing how this effects us.

 

I would be delighted if that was the case.

 

I may be inaccurate describing this purely as a privilege escalation vulnerability. It allows an attacker with access to an unprivileged user (all the way down to "nobody") to "to overwrite any file contents cached in memory. Dirty Pipe can do this even if the file is not permitted to be written."

 

Researchers have demonstrated that this vulnerability can be used to:

  • add an SSH key to the root user's account link
  • hijack an SUID binary to create a root shell link
  • overwrite data in read-only files link

I don't have sufficient depth on Unraid's architecture to know whether defense in depth strategies will mitigate this. I just saw that it's a kernel level vulnerability and we're running an effected kernel version.

Looks like Slackware 15 did a kernel upgrade on march 2nd to 5.16.12 and 5.16.11 had the patch so depending on RC3 base it may make it.  Worse case I would expect in the final release.

 

in terms of the vector for attack, seems like a carefully crafted plug-in could get it done.

Edited by txwireless

5 minutes ago, txwireless said:

 

in terms of the vector for attack, seems like a carefully crafted plug-in could get it done.

But plugins run as root anyway, so nothing has changed? Unraid is extremely vulnerable in one sense, as a malicious plugin can do damage regardless of this exploit.

 

I'm just not seeing how this exploit changes Unraid's exposure.

12 minutes ago, JonathanM said:

as a malicious plugin can do damage regardless of this exploit

Which is why every single plugin regardless of author undergoes a code inspection prior to inclusion in CA

  • Author
2 hours ago, Squid said:

Which is why every single plugin regardless of author undergoes a code inspection prior to inclusion in CA

 

Thanks so much for that 🙏🏼

 

CA is amazing - really makes Unraid, and thus my homelab, useful for me. My big worry about a vulnerability like this is that it makes me hesitant to load new stuff in CA.

 

Would a dockerized app be able to exploit this vulnerability? I expect a VM would isolate the exploit, but since containers share the host kernel, the vulnerability may be passed through as well.

1 hour ago, k2U79!KvW9AXpwAc said:

My big worry about a vulnerability like this is that it makes me hesitant to load new stuff in CA.

Plugins don't particularly worry me.  We're a small club of authors, and no one gets a free pass on inspection, and we also all have to deal with certain employees of Limetech doing another random inspection looking for other types of vulnerabilities.

 

I'm more concerned about users installing a random container from a dockerHub search (not anything within CA itself) that might contain something unexpected (eg: mining software).  The sweet thing about docker apps in particular is that they all only have access to files and folders that you've explicitly given them permission to have, so any malicious intent (eg: ransomware) is limited.  Once again, this is about stuff that's on a dockerHub search, not CA itself.

 

Both CA and FCP know what's going on with the apps installed, and if (big if) something ever malicious snuck through immediate steps are done to both alert the user and myself to what's happening.

19 hours ago, JonathanM said:

How would this specific exploit work in Unraid? Unlike typical linux installs, ONLY root is allowed console login, so no privilege escalation attack from that vector, right?

 

Since Unraid operates so differently from normal setups, I'm having a hard time picturing how this effects us.

 

Correct me if I am wrong but:

 

1) You can have different user for your SMB share.

2) You can have different user for SSH

3) You have "Docker user". Some containers are set up to allow you to specify a UID/GID to be used by passing it in as an environment variable.

 

Probably not easy and the need for multiple vulnerability/misconfiguration but docker can be "escaped". Ex.: Consider a RCE that gives you access to a docker and from there you could possibly escape the container or if the container allows you to have "user" access to a folder, with the above vulnerability you can make it to root.

 

Now my opinion is that regardless the vulnerability the system needs to be fixed. Security is like an onion, if too many layers are missing, the chances of something bad happening is increased.

What we need is the possibility to avail of the latest security patches without waiting for a major/RC release. This topic has been brought up already before and I hope limetech will implement the changes quite fast.

 

  • 2 weeks later...

I saw that there is a NEXT branch update to fix this issue, but honestly I don't know if is better to wait the stable release update. What do you suggest?

 

Thanks

To be honest the RC4 is quite stable and I prefer to have the security fixes in place.

On 3/8/2022 at 4:24 PM, JonathanM said:

How would this specific exploit work in Unraid? Unlike typical linux installs, ONLY root is allowed console login, so no privilege escalation attack from that vector, right?

 

Since Unraid operates so differently from normal setups, I'm having a hard time picturing how this effects us.

 

We already had the same discussion over a year ago.

Privilege escalation is very bad, and definitely needs to be fixed. Especially with the currently heightened threat levels.

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.