Linux Distributions are currently releasing patches to fix a security flaw in the kernel. This vulnerability could enable an attacker to read any files that contain arbitrary data and then take control of the affected system.
Dubbed “Dirty Pipe” (CVE-2022-0847, CVSS score: 7. 8) by IONOS software developer Max Kellermann, the flaw “leads to privilege escalation because unprivileged processes can inject code into root processes. “
Kellerman said the bug was discovered after digging into a support issue raised by one of the customers of the cloud and hosting provider that concerned a case of a “surprising kind of corruption” affecting web server access logs.
The Linux kernel flaw is said to have existed since version 5. 8, with the vulnerability sharing similarities to that of Dirty Cow (CVE-2016-5195), which came to light in October 2016.
“A flaw was found in the way the ‘flags’ member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values,” Red Hat explained in an advisory published Monday.
” An unprivileged user local could exploit this flaw and write to pages stored in page caches backed with read-only files, and thus escalate their privileges.” it said.
Pipe, short for pipeline, is a unidirectional inter-process communication mechanism in which a set of processes are chained together such that each process takes input from the previous process and produces output for the next process.
Exploiting the weakness requires performing the following steps: Create a pipe, fill the pipe with arbitrary data, drain the pipe, splice data from the target read-only file, and write arbitrary data into the pipe, Kellerman outlined in a proof-of-concept (PoC) exploit demonstrating the flaw.
Put simply; the vulnerability is high risk in that it allows an attacker to perform a number of malicious actions on the system, including tampering with sensitive files such as /etc/passwd to remove a root user’s password, adding SSH keys for remote access, and even executing arbitrary binaries with the highest privileges.
“To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts),” the researcher said. “That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions. “
The issue has been fixed in Linux versions 5.16. 11, 5.15. 25, and 5.10. 102 as of February 23, 2022, three days after it was reported to the Linux kernel security team. Google, for its part, has merged the fixes into the Android kernel on February 24, 2022.
Given the ease with which the security flaw can be exploited and the release of the PoC exploit, it’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.