Dirty Pipe Flaw in Linux Kernel Lets Hackers Overwrite Root Files, Escalate Privileges


Linux is synonymous with reliable process management, efficiency, uptime, and, most importantly, security. However, the much-loved operating system has sometimes fallen short on the last count over the years. The latest hiccup is the Dirty Pipe vulnerability which enables privilege escalation.

The Dirty Pipe flaw, tracked as CVE-2022-0847, allows a threat actor to overwrite data in arbitrary read-only files. The vulnerability can also enable an attacker to inject code into root processes, thus leading to privilege escalation.

Max Kellerman, a software engineer developing backend/infrastructure software for CM4all, discovered the Dirty Pipe vulnerability after months of analysis on a file corruption complaint filed by one of CM4all’s customers last April.

The complaint concerning the corruption of web server access logs initially led Kellerman to attribute it to a minor bug. “Months later,” he said, “this happened again and yet again. Every time, the file’s contents looked correct, only the CRC at the end of the file was wrong. Now, with several corrupt files, I was able to dig deeper and found a surprising kind of corruption.”

Dirty Pipe Vulnerability

The exploitable vulnerability is named after the Dirty Cow vulnerability discovered in 2016 based on their similarities. “He called the vulnerability Dirty Pipe, because it involves insecure interaction between a true Linux file (one that’s saved permanently on disk) and a Linux pipe, which is a memory-only data buffer that can be used like a file,” wrote Paul Ducklin, a principal research scientist at Sophos.

Dirty Cow was a privilege escalation vulnerability. The ‘Pipe’ in Dirty Pipe refers to the flaw residing in the pipeline mechanism in Linux. A pipeline is an inter-process communication mechanism. A Linux pipeline involves two or more processes communicating unidirectionally, wherein each process accepts the output of the previous process as the input to produce an output.

Kellerman neatly laid out the exploitation chart, which involved creating a pipe, filling it with arbitrary data, draining the pipe, splicing data from the target file, and writing arbitrary data into the pipe. This data will overwrite the cached file page instead of creating a new anonymous buffer.

“If you have a pipe that you are allowed to write to and a file that you aren’t, then, sometimes, writing into the pipe’s memory buffer may inadvertently also modify the kernel’s temporary in-memory copies — the so-called cache pages — of various parts of the disk file,” Ducklin explained.

See More: Is Linux as Secure as We Think?

“Annoyingly, even if the file is flagged as ‘read only’ by the operating system itself, modifying its underlying kernel cache is treated as a ‘write.’ As a result, the modified cache buffer is flushed back to disk by the kernel, permanently updating the contents of the stored file, despite any operating system permissions applied to it.”

The point is this: unprivileged users, or hackers, can discreetly modify read-only files, including sensitive ones such as / etc / passwd. A security researcher, “Phith0n,” discovered that attackers could also overwrite SUID programs.

The Dirty Pipe vulnerability resides in Linux kernel 5.8 and onwards. It has a CVSS score of 7.8. “It’s about as severe as it gets for a local kernel vulnerability,” Brad Spengler, president of Open Source Security, told ArsTechnica. “Just like Dirty Cow, there’s essentially no way to mitigate it, and it involves core Linux kernel functionality.” However, updating the Linux kernel to versions 5.15.25, 5.16.11, or 5.10.102 will eradicate the flaw.

What’s At Risk from the Dirty Pipe Vulnerability?

It is a severe vulnerability because the exploitation isn’t difficult, as noted by BLASTY, another researcher who detailed it on their blogOpens a new window . All distributions of the open-source OS, such as Red HatOpens a new window , UbuntuOpens a new window , SUSEOpens a new window , DebianOpens a new window , etc., are impacted and have started rolling out respective updates. The affected platforms include cloud vendors Azure (AKS), Amazon (EKS), and Google Cloud Platform. Android users are also at risk since the mobile OS is based on Linux.

The problem of Android is compounded by fragmentation and fragmented development of the OS. There are multiple Android versions, each from a different original equipment manufacturer (OEM), commanding a significant market share. Nearly half of the security updates on Android may not even reach the end-user due to this.

Nevertheless, Kellerman apprised the Android Security Team at Google, which merged the fix into the Android kernel. Kellerman sent the fix to Google after reproducing the exploit on a Pixel 6 device. Android running in Pixel 6 and Samsung Galaxy S22 devices have Kernel version 5.10.43, making both devices vulnerable to the Dirty Pipe flaw.

Most older devices older than Pixel 6 and Galaxy S22 have Linux kernel version 5.4 or earlier. To check if your device is vulnerable to CVE-2022-0847, go to Settings > About phone > Android version. If the Kernel version is less than 5.8 or is any of the versions 5.15.25, 5.16.11, or 5.10.102, you’re safe. If not, watch out for security updates from the OEM and apply as soon as possible.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!