Dirty Pipe: What you need to know about the severe new Linux kernel bug
A severe new Linux kernel vulnerability dubbed "Dirty Pipe" allows an attacker with read-only access mode to escalate privileges and gain root. The vulnerability exists in all Linux kernel versions from 5.8 forward. Exploitation is not challenging and although the attack requires local access the impact is potentially significant.
This vulnerability has been assigned CVE-2022-0847. First found ("it started with a support ticket about corrupt files...") and reported by German software engineer Max Kellermann, the Linux kernel vulnerability was publicly disclosed on March 7, 2022 alongside a proof-of-concept exploit. As Kellermann notes in his write-up: "To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts)."
As Paul Zimski, VP at IT operations specialist Automox, notes: "The vulnerability exists in all Linux kernel versions from 5.8 forward and has been patched in Linux 5.16.11, 5.15.25 and 5.10.102. Dirty Pipe is expected to be patched in the various Linux OS vendors as the day progresses. This vulnerability is similar in nature to Dirty Cow in 2016, but is reportedly easier to exploit. Exploitation of Dirty Pipe could allow attackers to take control of systems and destroy or exfiltrate sensitive data. Given the prevalence of Linux in highly sensitive infrastructure, this is a very important vulnerability to mitigate. It is highly recommended that IT and SecOps admins prioritize patching and remediation of this vulnerability in the next 24 hours to reduce organizational risk."
Dirty Pipe: Vendors push prompt patches
The bug is in how the Linux kernel handles Unix pipes, or the onward direction of commands or processes.
Kellermann first sent a bug report, exploit and patch sent to the Linux kernel security team on February 20. They had pushed a stable release with a bug fix by February 23 and the following day Google had merged the bug fix into the Android kernel. Other vendors were catching up this week after public disclosure: overall a pace of patching in the open source community that would put many closed system enterprise vendors to shame.
Red Hat has made a vulnerability detection script available here.
The vulnerability only affects Ubuntu 21.10 and Ubuntu 20.04 LTS systems running the Linux 5.13 kernel. Canonical pushed a fix late Tuesday. Red Hat noted that for RHEL 8, the currently known exploits do not work: "However, the underlying flaw is still present and other novel ways leading to successful exploitation cannot be fully ruled out. Further, any Red Hat product based on Red Hat Enterprise Linux (including RHEL CoreOS) is also potentially impacted. This includes products that pull packages from the RHEL channel, such as Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Virtualization, and others."
Follow The Stack on LinkedIn
SUSE meanwhile said that "our currently maintained SUSE Linux Enterprise products are not affected as they ship older Linux Kernels than 5.8. The upcoming SUSE Linux Enterprise 15 SP4 with Linux kernel 5.14 will be already fixed before shipment.We will still release fixes for the first bug for SUSE Linux Enterprise 12 SP4 and newer and SUSE Linux Enterprise 15 and newer, even though they are not directly affected."
Those running any other Linux distribution should check if they are affected and patch promptly.
The vulnerability comes just eight weeks after a critical vulnerability in a programme installed by default on every major Linux distribution was identified and allocated CVE-2021-4034 and those engaging in some serious patching should check that they are not exposed to it too. Dubbed PwnKit it gives any unprivileged user the ability to easily gain root access in a potential nightmare for security teams hoping to prevent lateral movement by hackers who have gained a toe-hold in their systems. The vulnerability is in polkit’s pkexec, a SUID-root programme that’s ubiquitous across Linux boxes and used to control system-wide privileges in Unix-like operating systems. It was found by the research team at Qualys. US National Security Agency (NSA) Cybersecurity Director Rob Joyce noted on Twitter that the bug “has me concerned. Easy and reliable privilege escalation preinstalled on every major Linux distribution. Patch ASAP or use the simple chmod 0755 /usr/bin/pkexec mitigation. There are working POCs in the wild” he added.