Endpoint Security , Governance & Risk Management , Patch Management

'Dirty Pipe' Permission Flaw Patched in Linux Kernel

Privilege Escalation Flaw Allows for Complete Device Takeover
'Dirty Pipe' Permission Flaw Patched in Linux Kernel
Source: @whatispictureperfect via unsplash.com

A newly revealed flaw in the Linux kernel dubbed "Dirty Pipe" could potentially allow attackers to take complete control over a device, read private messages and gain admin-level privileges.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The flaw, CVE-2022-0847, was discovered by Max Kellermann, who is a software developer for the web hosting company Ionos. Kellerman found the privilege escalation bug allows threat actors in Linux versions 5.8 and beyond to inject code into read-only files, among other malicious activity.

The Linux Foundation has already released a security patch to update all affected versions and Google has done the same for Android users.

Kellermann says that threat actors could also leverage the bug to compromise banking applications or victimize Android users who install and run a vulnerable app.

Clogging Linux Pipes With Malicious Code

Kellermann, who discovered the flaw after monitoring a series of complaints for corrupt files since April 2021, says the Dirty Pipe bug is similar to the Dirty Cow vulnerability, tracked as CVE-2016-5195. Dirty Cow is a Linux kernel flaw that emerged in 2016 and allowed threat actors to gain admin-level access to organizational networks. Kellermann says that Dirty Pipe is much easier to exploit than Dirty Cow.

After monitoring the corrupt files, Kellermann began to see a pattern emerge, which showed 37 corrupt files between Nov. 2021 and Feb. 2022. The last day of the month had the most corruptions. In an odd finding, only the primary server log showed the corruptions while the standby server showed none. Otherwise, all data remained the same. Additional analysis determined the flaw originated in the Linux kernel code.

In order to leverage an attack with Dirty Pipe , threat actors would have to follow a series of steps, including creating a pipe, which is a command to direct communication between processes or programs, according to Kellermann.

"To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files," Kellerman writes, adding that "the page cache is always writeable" via the kernel and "writing to a pipe never checks any permissions."

There are some limitations to an attacker's abilities to exploit Dirty Pipe. For instance, the threat actor needs access to read permissions, and a file cannot be resized.

Kellermann disclosed the flaw to the Linux Foundation in February, which then followed the rollout of new upgrades.

Plan, Patch, Repeat

Thorsten Leemhuis, a Germany-based Linux expert who created the Linux-Kernal Regression Tracking Bot project, tweeted about the new vulnerability, which took some time to detect, fix and disclose.

Mike Parkin, senior technical engineer for risk management company Vulcan Cyber, says the fact that the attack vector requires an attacker to already have local access lowers the risk. On the other hand, he says an attacker's first priority will be to gain full control of a victim's device to "extend their foothold to other victims," creating a trickle-down effect that could allow an attacker to collect data on other targets.

"This hasn't changed for ages and is unlikely to change in the foreseeable future," he says.

Shweta Khare, a cybersecurity evangelist for security firm Delinea, says several vulnerabilities that allow attackers to gain access to local or admin privileges have already made headlines this year. One way this can hurt businesses, Khare says, is that containers and microservices, common tools used in the development architecture, while keeping a higher degree of security, can oftentimes be overlooked.

"In most organizations, microservices and containers are not yet covered under the enterprise security plan," Khare says, adding that paying close attention to privilege management, particularly across data centers and cloud-based systems, is essential to guard against cyberattacks related to privilege access flaws.

About the Author

Devon Warren-Kachelein

Devon Warren-Kachelein

Former Staff Writer, ISMG

Warren-Kachelein began her information security journey as a multimedia journalist for SecureWorld, a Portland, Oregon-based cybersecurity events and media group. There she covered topics ranging from government policy to nation-states, as well as topics related to diversity and security awareness. She began her career reporting news for a Southern California-based paper called The Log and also contributed to tech media company Digital Trends.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.