New privilege escalation vulnerability called 'Dirty Pipe' is threatening all Linux distros

Recently, security researcher Max Kellermann shared about a security flaw called 'Dirty Pipe'. It affects Linux Kernel 5.8 and above and even Android devices.

"Dirty Pipe" is tracked under code CVE-2022-0847. When exploited successfully, an unprivileged hacker can insert and overwrite data in read-only files, including SUID processes running as root.

Kellermann discovered this vulnerability after tracking a bug that was corrupting the web server access logs of one of his customers.

Kellermann said "Dirty Pipe" is similar to the Dirty COW vulnerability (CVE-2016-5195) that was patched in 2016.

New privilege escalation vulnerability called 'Dirty Pipe' is threatening all Linux distros Picture 1 New privilege escalation vulnerability called 'Dirty Pipe' is threatening all Linux distros Picture 1

How to exploit root access has been shared publicly

In his sharing, Kellermann also publicly disclosed how to exploit the vulnerability. In this way, local users can put their own data in sensitive read-only files, remove restrictions, or modify configurations to provide greater access than they normally would. .

For example, security researcher Phith0n exploited this vulnerability to fix the /etc/passwd file so that the root account no longer had a password. After this change is done, unprivileged users just need to execute the command "su root" to get access to the root account,

Several other exploits were also made public soon after.

What do users need to do?

Before going public about "Dirty Pipe", Kellermann reported it to the organizations responsible for the maintenance of Linux distros, including the Linux kernel security group and the Android Security Team.

Currently, this vulnerability has been fixed in Linux kernels 5.16.11, 5.15.25 and 5.10.102 but many servers are still running unpatched kernels. Therefore, exploiting a publicly shared vulnerability will cause many problems for server administrators.

Moreover, because the exploitation is so easy and the root access is so simple, it's only a matter of time before this vulnerability is abused by hackers in cyber attacks. Previously, the Dirty COW vulnerability, although more difficult to exploit, was still abused by hackers.

Web hosting providers that provide Linux shell access or universities that typically provide shell access for multi-user Linux systems will have to pay special attention to this Dirty Pipe vulnerability.