Endpoint Security , Governance & Risk Management , Patch Management
'Dirty Pipe' Permission Flaw Patched in Linux Kernel
Privilege Escalation Flaw Allows for Complete Device TakeoverA newly revealed flaw in the Linux kernel dubbed "Dirty Pipe" could potentially allow attackers to take complete control over a device, read private messages and gain admin-level privileges.
See Also: Cyber Hygiene and Asset Management Perception vs. Reality
The flaw, CVE-2022-0847, was discovered by Max Kellermann, who is a software developer for the web hosting company Ionos. Kellerman found the privilege escalation bug allows threat actors in Linux versions 5.8 and beyond to inject code into read-only files, among other malicious activity.
The Linux Foundation has already released a security patch to update all affected versions and Google has done the same for Android users.
Kellermann says that threat actors could also leverage the bug to compromise banking applications or victimize Android users who install and run a vulnerable app.
Clogging Linux Pipes With Malicious Code
Kellermann, who discovered the flaw after monitoring a series of complaints for corrupt files since April 2021, says the Dirty Pipe bug is similar to the Dirty Cow vulnerability, tracked as CVE-2016-5195. Dirty Cow is a Linux kernel flaw that emerged in 2016 and allowed threat actors to gain admin-level access to organizational networks. Kellermann says that Dirty Pipe is much easier to exploit than Dirty Cow.
After monitoring the corrupt files, Kellermann began to see a pattern emerge, which showed 37 corrupt files between Nov. 2021 and Feb. 2022. The last day of the month had the most corruptions. In an odd finding, only the primary server log showed the corruptions while the standby server showed none. Otherwise, all data remained the same. Additional analysis determined the flaw originated in the Linux kernel code.
In order to leverage an attack with Dirty Pipe , threat actors would have to follow a series of steps, including creating a pipe, which is a command to direct communication between processes or programs, according to Kellermann.
"To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files," Kellerman writes, adding that "the page cache is always writeable" via the kernel and "writing to a pipe never checks any permissions."
There are some limitations to an attacker's abilities to exploit Dirty Pipe. For instance, the threat actor needs access to read permissions, and a file cannot be resized.
Kellermann disclosed the flaw to the Linux Foundation in February, which then followed the rollout of new upgrades.
Plan, Patch, Repeat
Thorsten Leemhuis, a Germany-based Linux expert who created the Linux-Kernal Regression Tracking Bot project, tweeted about the new vulnerability, which took some time to detect, fix and disclose.
Exhibit 3254 in the tales of "always update to new #Linux #kernel releases, as they often fix security issues not yet disclosed":
— Thorsten Leemhuis – the Linux kernel logger (1/5) (@kernellogger) March 7, 2022
The Dirty Pipe Vulnerability (CVE-2022-0847), which allows overwriting data in arbitrary read-only files since 5.8 – https://t.co/pTOZxdfEhG pic.twitter.com/meDIBB1GIW
Mike Parkin, senior technical engineer for risk management company Vulcan Cyber, says the fact that the attack vector requires an attacker to already have local access lowers the risk. On the other hand, he says an attacker's first priority will be to gain full control of a victim's device to "extend their foothold to other victims," creating a trickle-down effect that could allow an attacker to collect data on other targets.
"This hasn't changed for ages and is unlikely to change in the foreseeable future," he says.
Shweta Khare, a cybersecurity evangelist for security firm Delinea, says several vulnerabilities that allow attackers to gain access to local or admin privileges have already made headlines this year. One way this can hurt businesses, Khare says, is that containers and microservices, common tools used in the development architecture, while keeping a higher degree of security, can oftentimes be overlooked.
"In most organizations, microservices and containers are not yet covered under the enterprise security plan," Khare says, adding that paying close attention to privilege management, particularly across data centers and cloud-based systems, is essential to guard against cyberattacks related to privilege access flaws.