Hardware vendor QNAP has warned customers to secure their Linux-based network-attached storage (NAS) devices against a newly discovered Sudo privilege escalation vulnerability. The vulnerability, tracked as CVE-2023-22809, could allow attackers to escalate their privileges by editing unauthorized files via the sudoedit utility.
Sudoedit is a command that allows a user to edit a file under the context of another user. The command is commonly used to modify a file under the context of a high-privileged user while actively logged in as a lower-privileged user. The vulnerability exists in the way that sudoedit handles extra arguments passed in via the user-provided environment variables. If a user-specified editor allows for an argument to specify additional files to edit, such as the vim “—” argument, an attacker can use this text editor along with sudoedit to bypass the sudoers file and edit a highly-privileged file without the appropriate permissions.
This vulnerability exists in Sudo versions 1.8.0 through 1.9.12p1 and affects the QTS, QuTS hero, QuTScloud, and QVP NAS operating systems from QNAP. QNAP has provided patches to fix the vulnerability for the QTS and QuTS hero platforms but is still working on providing QuTScloud and QVP updates.
It is highly recommended to update all affected devices as soon as possible to prevent exploitation of this vulnerability. Since patches have been released for the QTS and QuTS hero platforms, updates should be applied immediately for these devices. For the QuTScloud and QVP products, since patches are not available yet, it is highly recommended to regularly check for the release of a patch via the system’s Update panel. QNAP devices are known to be highly targeted by threat actors, particularly ransomware groups like the ones behind DeadBolt and eChoraix, so it will likely not be long before the vulnerability becomes exploited in the wild. For devices that cannot be patched yet, it is recommended to review the sudoers file to determine the attack surface for the device. For the vulnerability to be exploited, a user will need sudo access to edit some file initially, so if there are any users that have sudo access to edit less important files, it may be beneficial to temporarily remove that access until the patch can be applied. Likewise, it is recommended to review the Internet accessibility of the device and remove it from the wider Internet if it is not required. Threat actors commonly scan for misconfigured NAS devices that have management interfaces exposed on the Internet, so by reviewing and fixing any of these sorts of misconfigurations, an organization can help prevent a threat actor from establishing an initial foothold on the device in the first place.