Linux distributions are in the process of issuing patches to address a newly disclosed security vulnerability in the kernel that could allow an attacker to overwrite arbitrary data into any read-only files and allow for a complete takeover of affected systems.
Dubbed “Dirty Pipe” (CVE-2022-0847, CVSS score: 7.8) by IONOS software developer Max Kellermann, the flaw “leads to privilege escalation because unprivileged processes can inject code into root processes.”
Kellerman said the bug was discovered after digging into a support issue raised by one of the customers of the cloud and hosting provider that concerned a case of a “surprising kind of corruption” affecting web server access logs.
“A flaw was found in the way the ‘flags’ member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values,” Red Hat explained in an advisory published Monday.
“An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system,” it added.
Pipe, short for pipeline, is a unidirectional inter-process communication mechanism in which a set of processes are chained together such that each process takes input from the previous process and produces output for the next process.
Exploiting the weakness requires performing the following steps: Create a pipe, fill the pipe with arbitrary data, drain the pipe, splice data from the target read-only file, and write arbitrary data into the pipe, Kellerman outlined in a proof-of-concept (PoC) exploit demonstrating the flaw.
Put simply; the vulnerability is high risk in that it allows an attacker to perform a number of malicious actions on the system, including tampering with sensitive files such as /etc/passwd to remove a root user’s password, adding SSH keys for remote access, and even executing arbitrary binaries with the highest privileges.
“To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts),” the researcher said. “That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
The issue has been fixed in Linux versions 5.16.11, 5.15.25, and 5.10.102 as of February 23, 2022, three days after it was reported to the Linux kernel security team. Google, for its part, has merged the fixes into the Android kernel on February 24, 2022.
Given the ease with which the security flaw can be exploited and the release of the PoC exploit, it’s recommended that users update Linux servers immediately and apply the patches for other distros as soon as they are available.