A new Linux vulnerability known as “Dirty Pipe” allows local users to gain root privileges via kernel exploits. It is similar to the 2016 vulnerability CVE-2016-5195, better known as “Dirty Cow”, but is easier to exploit.
The CVE-2022-0847 vulnerability was discovered in April 2021, but it took a few months to figure out what was really going on. Kellermann explained that the vulnerability affects Linux kernel 5.8 and later (also on Android devices running untrusted applications), but it was fixed in Linux 5.16.11, 5.15.25 and 5.10.102 (the last version released was the 5.16.12).
Many servers continue to run outdated kernels, making it essential to upgrade to avoid the vulnerable open source operating system.
discovered by chance
This security flaw was discovered by Max Kellermann of CM4all’s parent company, Ionos, after repeatedly receiving support tickets about corrupted archives in the web server access logs of one of his clients.
The exploit affected Linux kernel 5.8 and higher
“ It all started a year ago with a support ticket about corrupted files. A customer complained that the access logs they were downloading could not be uncompressed. And indeed, there was a corrupt log file on one of the log servers; could be uncompressed, but Gzip reported a CRC (cyclic redundancy check, an error detection code used to detect accidental changes to data) error. I couldn’t explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file. I fixed the CRC of the file manually, closed the ticket and soon forgot about the problem.
Months later, this happened again and again. Every time the file content seemed correct, only the CRC at the end of the file was wrong. Now, with several corrupted files, I was able to dig deeper and found a surprising type of corruption. A pattern emerged.”
Operating system bugs and application-level vulnerabilities like these can allow attackers to escalate privileges , move laterally within the network, execute arbitrary code, and completely take over other devices.
Study of the exploit and search for solutions
To exploit the vulnerability, Kellermann studied the bug and saw that there are certain limitations such as the attacker must have read permissions, scrolling must not be on a page boundary, writing cannot cross a page boundary, and the file cannot be moved. can be resized.
Had it been disclosed before it was patched, Linux would have had serious security problems.
The bug report, exploit, and patch were submitted to the Linux Kernel Security Team by Kellermann on February 20, 2022. The bug was reproduced on the Google Pixel 6 and a bug report was submitted to the Android Security Team. . Linux released fixed stable builds (5.16.11, 5.15.25, and 5.10.102) on February 23, and Google merged the Kellermann bug fix into the Android kernel on February 24 .
Mike Parkin of Vulcan Cyber said that any exploit that provides root-level access to a Linux system is problematic:
“An attacker who gains root gains full control over the target system and can leverage that control to reach other systems. The mitigating factor for this vulnerability is that it requires local access, which slightly reduces the risk,” said Parkin.