In these days the presence of a vulnerability that affects the Linux kernel and in particular version 5.8 and later has been made known. The vulnerability, nicknamed Dirty Pipe, represents one of the most serious threats to have been identified in recent years.
Let's see what this breach is all about and how it was discovered. Let's also find out what it could be used for and what the possible mitigation methods are.
Table of Contents
What is Dirty Pipe Vulnerability
A critical vulnerability in Linux distributions has recently been identified. It is an issue that affects the kernel and affects some of the most recent versions.
The vulnerability is identified as CVE-2022-0847 according to the CVE (Common Vulnerabilities and Exposures) classification system and has been nicknamed Dirty Pipe. The presence of this flaw was made known on March 7, 2022, and updates are already in place for some distributions.
Let's see which kernel versions are affected and how the vulnerability works.
Dirty Pipe: the affected versions of kernel
As reported by Max Kellermann, the person who identified the Dirty Pipe vulnerability, the problem affects kernel version 5.8 and later.
Thanks to the bug report, on February 23rd the kernel updates 5.16.11, 5.15.25 and 5.10.102 were released, so they are not affected by the vulnerability.
Similarly, versions prior to 5.8 are not affected.
As for the Android operating system, Kellermann himself reported the vulnerability on affected devices including Google Pixel 6. Samsung Galaxy S22 devices, running Android version 5.10.43, are also covered by the vulnerability.
As per Kellermann's report, the patch was inserted into the Android kernel on February 24th.
Dirty Pipe, how the kernel vulnerability was discovered
Before we understand how the vulnerability that was recently discovered works, we need to take a step back and briefly go over the events that led to its identification.
This vulnerability was identified thanks to Max Kellermann of CM4all who published a detailed account of the problem on March 7th, 2022.
Starting with a support ticket reporting corrupted files, Kellermann was then able to identify a pattern and trace the cause of the error: a bug in the kernel.
Since the first report in April 2021, it took several months of analysis. The efforts ended in February 2022 when Kellermann was able to identify the error in the Linux kernel.
The Dirty Pipe vulnerability was then reported to the Linux Kernel and Android security teams.
Kellermann then released a report and proof of concept in which he demonstrated the vulnerability and how it can be exploited.
How Dirty Pipe works
For a detailed and technical explanation of how the Dirty Pipe vulnerability works I refer you to the report by Kellermann. Here we will try to simplify how the vulnerability works so that it is understandable even to those less familiar with Linux.
The name used to identify the vulnerability, and in particular "Pipe", suggests to us that the pipeline, a mechanism that allows for communication between two processes, is involved. Specifically, the output of one process is used as input for the next process.
This is a serious vulnerability that allows users who should not be authorized to make changes to files.
By exploiting this vulnerability, a user without privileges can modify and overwrite any file, even those with read-only permissions. This allows a malicious user or a hacker to gain root permissions and can modify any file.
If, in fact, the vulnerability can be exploited to obtain write permissions even on read-only files, a way has been found to use it in different ways as well. You could open backdoors in the system, create user profiles with root permissions and exploit the vulnerability to alter data and the system to your advantage, by modifying scripts or binary files.
In addition to Kellermann's proof of concept, which you can view in his report, other security experts have also demonstrated how the Dirty Pipe vulnerability can be used.
For example, it has been shown that you can overwrite the /etc/passwd file so that a user with root permissions does not need a password. This allows an unprivileged user to gain root permissions without needing credentials.
Dirty Pipe and Dirty COW, the differences
What makes this vulnerability even more risky is the ease with which it can be exploited. In fact, Max Kellermann compared the Dirty Pipe vulnerability to CVE-2016-5195, better known as Dirty COW, specifying that Dirty Pipe is easier to exploit.
In 2016, another kernel vulnerability was identified, called Dirty COW. In this case, a flaw in the kernel's Copy-On-Write system was exploited.
Thanks to this vulnerability even unprivileged users could exploit write permissions. By exploiting this flaw and being able to access memory locations that would otherwise be inaccessible, malicious users could modify ("dirty") the data, hence the name "dirty COW", where "COW" stands for Copy-On-Write.
The vulnerability, which initially was only exploited locally, soon turned out to be useful to be exploited remotely as well, and this is how web servers were targeted. By combining the flaw with vulnerabilities in an Apache server, an attacker could obtain root permissions on a remote server via an SSH Connection
Moreover, the Dirty COW vulnerability was exploited in Android devices. A few days after the identification of the vulnerability, in fact, a malware (ZNIU) was found that exploiting this vulnerability was able to get root access to the device and create a backdoor.
Dirty Pipe: what to know about mitigation
Since this is a kernel vulnerability involving system functions, there is no way to mitigate the problem. Therefore, the solution is to update the operating systems affected by the Dirty Pipe vulnerability.
TuxCare reports that updates are available for the following distributions: RHEL 8, Oracle EL 8, CentOS8, Almalinux 8, Rocky Linux, Ubuntu 20.04, CloudLinux 8 and CloudLinux 7.
As patches for KernelCare become available the TuxCare. blog post will be updated.
This is in the case of desktop and Android devices. What about, however, in the case of web servers?
The vulnerability is present on Kernel 5.8 and later. On SupportHost we use a different version of the kernel, which is therefore not affected by the vulnerability.
In any case we use KernelCare which allows us to apply patches as they are released.
If you are our customer, you are safe.
We have seen that the Dirty Pipe vulnerability can be used to overwrite system files and gain root privileges, in a nutshell having full access to the device or server. The identification of the vulnerability has allowed the release of updates for different Linux distributions to eliminate the flaw.
As we have seen in conclusion, SupportHost servers are not affected by the vulnerability, because our kernel version is not among those affected.