We have researched a new Linux vulnerability nicknamed ‘Dirty Pipes’ which is being exploited in the wild.
Why should we care?
Linux kernel version 5.8 contains a serious vulnerability that can lead to root access in the form of privilege-escalation and can work without write permissions. It affects all Linux distributions including Android devices such as Samsung Galaxy and Google Pixel.
Dirty Pipes story
Security professional, Max Kellerman, has uncovered a new security flaw with the Linux kernel, registered as CVE-2022-0847.
This new high risk vulnerability allows local users to obtain root privileges, and can be exploited easily, affecting all major Linux distributions with kernel 5.8 and later versions.
This vulnerability allows overwriting data in arbitrary read-only files, this leads to privilege escalation because unprivileged processes can inject code into root processes. It is similar to the “Dirty Cow” vulnerability and registered as CVE-2016-5195 but is much easier to exploit.
The vulnerability was discovered whilst investigating some cases of corrupted log files for CM4all hosting environment processed by their custom HTTP server.
It was noticed that the CRC32 for some of the logs indicated they were corrupted, which sparked an investigation of all the source code. When they could not find any traces of the bug within their own code, they decided to investigate the code for the Linux kernel and there it was, the flaw.
Max wrote some programs to test his theory and to his surprise, the Linux kernel was to blame.
In software programming and scripting, a pipe is a technique for passing information from one program or process to another, it is one-way communication only. One end pushes data and the other end receives, processes the data and could potentially push the result into another pipe until the desired result is achieved.
Some data gets pushed into the pipe, then lots of files get spliced, creating a page cache reference. This only happens when the page cache thinks the page is “dirty”, then it writes these pages to the disk.
“Accidently overwriting data in the page cache will not make the page “dirty”. If no other process happens to “dirty” the file, this change will be ephemeral; after the next reboot (or after the kernel decides to drop the page from the cache, e.g., reclaim under memory pressure), the change is reverted. This allows interesting attacks without leaving a trace on hard disk.”
This vulnerability is interesting as it not only works without write permission, but also with immutable files, on read-only btrf (btrfs are a computer storage format that combines a file system based on the copy-on-write principle with a logical volume manager, developed together), read-only mounts, including CD-ROM mounts. The page cache is aways writable by the kernel and writing to a pipe has no concerns with permission checks.
Currently there is no mitigation available for this flaw. You should update your kernel, once your distribution makes a patch available.
To read more about this security flaw see the links below:
If you have any concerns for this or an other vulnerability, please get in touch to arrange a chat.