Linux “Dirty Pipe” vulnerability gives unprivileged users root access

A vulnerability in the Linux kernel, nicknamed “Dirty Pipe”, allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation as a result of unprivileged processes being able to inject code into root processes.

If you’re not sure what that means but you think it sounds bad—you are correct!

The vulnerability was found and explained in detailby Max Kellerman of CM4all. The affected Linux kernel versions are 5.8 and above. The fixed versions are 5.16.11, 5.15.25 and 5.10.102.

CVE-2022-0847

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Dirty Pipe is the nickname for the vulnerability listed as CVE-2022-0847.

It is described as a flaw in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipeand

push_pipe

functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

To understand the name you need to know that a pipe is a data buffer in a Linux system’s memory that can be used as if it was a file. Pipes are used to pass information from one program to another by storing the output of the first program and then passing it to the second. For example, if you want to pass information from the list command lsto the paging program

less

, you’d join them with a pipe. On the command line, it looks like ls | less.

The Dirty Pipe vulnerability can be abused by creating a pipe—which the attacker has permission to change—and then confusing the Linux kernel into thinking that the pipe is a file the attacker doesn’t have permission to change.

If you are up for a full technical analysis, and would like to read about the journey of finding this vulnerability, feel free to read Max Kelderman’s post.

For those that want the short, less technical version, the confusion in the Linux kernel is created by making use of the caching pages. Caching pages are temporary copies of files in a system’s memory that are created to make the handling of frequently used files faster. The vulnerability allows the attacker to make changes to the cached copy of a file that should be “read-only” for a user without root permissions.

In this way, it is possible for an attacker to gain root privileges, which ultimately allows him to take control of an affected system.

Impact

The vulnerability is serious enough for the Cybersecurity and Infrastructure Security Agency (CISA) to issue a warning about it. Maybe because this vulnerability is similar to an older vulnerability disclosed in 2016, Dirty COW(CVE-2016-5195), which has been actively exploited by malicious actors since then. And according to the experts, this vulnerability is easier to exploit than Dirty COW was.

Proof-of-Concept has already been published by several researchers.

And while many readers may think: “Oh, it’s Linux, nothing for me to worry about”, the Linux kernel underpins an enormous number of websites and cloud services, and is a base for many other operating systems.

The Linux kernel is an extremely important part of the software on nearly every Android device, and some smartphones are therefore vulnerable to Dirty Pipe.

Mitigation

The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102, so make sure to get those or a later one if you are a Linux user.

For Android users it is a bit more complicated. There are so many devices and kernel versions, that it is hard to give a clear statement. We can say that version 5.x under normal circumstances will only be found on the latest models. My smartphone (1 year old) and many other legacy devices are not vulnerable, because the vulnerability does not affect 4.x versions, which account for the majority of devices from Google and other vendors. You can view your kernel version under SettingsAbout phoneAndroid/Software versionKernel version. Android users with 5.x versions should check whether they are vulnerable and, if so, be on the lookout for an update to be rolled out to fix this vulnerability.

Stay safe, everyone!