Is Scale Affected by Dirty Pipe Exploit?

[HarryMuscle]

Just read about the Dirty Pipe exploit (https://arstechnica.com/information...ts-most-high-severity-vulnerability-in-years/) and I was wondering if we could get confirmation if the release version of Scale is affected or is it's already patched?

Thanks,
Harry

 

[jgreco]

How would it be "already patched"?

It isn't really a problem unless you're letting users log directly onto your server and get a shell. Which is always a bad idea.

 

[HarryMuscle]

How would it be "already patched"?

It isn't really a problem unless you're letting users log directly onto your server and get a shell. Which is always a bad idea.

The kernel was patched last month before this exploit was made public so depending which kernel version is being used in the release version of Scale it could already be patched.

Thanks,
Harry

 

[elvisimprsntr]

According to BC

While the bug has been fixed in Linux kernels 5.16.11, 5.15.25, and 5.10.102, many servers continue to run outdated kernels making the release of this exploit a significant issue to server administrators.

New Linux bug gives root on all major distros, exploit released

A new Linux vulnerability known as 'Dirty Pipe' allows local users to gain root privileges through publicly available exploits.

www.bleepingcomputer.com

Current SCALE Angelfish release and Bluefin nightlies are using 5.10.93, so unless you need it, disable SSH

root@NAS-3[~]# uname -a
Linux NAS-3 5.10.93+truenas #1 SMP Wed Feb 23 14:35:55 UTC 2022 x86_64 GNU/Linux
root@NAS-3[~]#

 

[elvisimprsntr]

Latest nightlies are running newer kernel.

TrueNAS-SCALE-22.12-MASTER-20220310-132924

Code:

root@NAS-3[~]# uname -a
Linux NAS-3 5.10.103+truenas #1 SMP Tue Mar 8 20:31:49 UTC 2022 x86_64 GNU/Linux