December 6, 2022
Dirty Pipe flaw linux

A vulnerability in the Linux kernel has been discovered and relatively easy to exploit. It affects several Linux distributions, as well as Google’s Android.

During an analysis of a problem raised by a customer of the hosting company Ionos, an expert discovered a flaw in the Linux kernel. Classified as CVE-2022-0847 and a CVSS severity score of 7.8. Max Kellermann, a developer at Ionos named this flaw Dirty Pipe echoing a similar breach named Dirty Cow (CVE-2016-5195), which was revealed in October 2016. In its analysis, the specialist found “a surprising case of corruption” affecting web server access logs. Specifically, the flaw is located in the Linux kernel and gives attackers the ability to overwrite data in any read-only file and take complete control of the affected systems.

A Poc published

According to Max Kellermann, the vulnerability exists since version 5.8 of the Linux kernel and leads to “an elevation of privileges, as unprivileged processes can inject code into the root processes”. In detail, the weakness lies in the way pipes are managed. Short for pipeline, a pipe is a one-way inter-process communication mechanism in which a set of processes are chained together. To use the flaw, according to the specialist, you have to: create and fill a pipe with data, empty the pipe, cut the data from the target read-only file and write arbitrary data to the pipe.

He demonstrated his work with a PoC of the exploit. Attackers can perform a number of malicious actions on a system, including altering sensitive files such as /etc/passwd to remove a root user’s password adding SSH keys for remote access and even executing arbitrary code with the highest privileges. “To make this vulnerability more interesting, it not only works without write permissions, but also with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts),” Max Kellermann points out.

Patches to be installed urgently

The problem was fixed in Linux versions 5.16.11, 5.15.25 and 5.10.102 as of February 23, 2022, three days after it was reported to the Linux kernel security team. Google, for its part, integrated the patches into the Android kernel on February 24, 2022. Given the ease with which the flaw can be exploited and the release of the PoC exploit, users are recommended to update Linux servers immediately and apply patches for other distributions as soon as they are available.