An easily exploitable vulnerability (CVE-2022-0847) in the Linux kernel can be used by local unprivileged users to gain root privileges on vulnerable systems by taking advantage of already public exploits.
Discovered by security researcher Max Kellermann, the flaw – which he dubbed Dirty Pipe, due to its similarity to the Dirty Cow flaw – has already been patched in the Linux kernel and the Android kernel. Affected Linux distributions are in the process of pushing out security updates with the patch.
About the vulnerability (CVE-2022-0847)
CVE-2022-0847 is a flaw in the way the Linux kernel handles pipe buffer flags, and it allows attackers to overwrite data in read-only files and SUID binaries to achieve root access.
Talk about 2 POC of DirtyPipe(CVE-2022-0847)
Original POC: https://t.co/QBHYU6i33N is able to overwrite arbitrary file with offset like ./exp /etc/passwd 5 ":0:0:rootx"
Improved POC: https://t.co/qurmceoXI8 is able to overwrite a SUID program like ./exp /usr/bin/su pic.twitter.com/telIWSYG67
— Phith0n (@phithon_xg) March 7, 2022
Kellerman’s write-up on how he discovered the vulnerability is a great source of information for security researchers, and includes his PoC exploit. Other researchers have come up with variations.
The bug is obviously easy to exploit, though it can’t be done remotely – attackers need to have prior access to a vulnerable host to deploy an exploit. Nevertheless, if the Dirty Cow flaw was exploited by attackers in the wild, you can be sure they will take advantage of Dirty Pipe, as well.
What to do?
Users of various Linux distributions and Android devices should be on the lookout for security updates implementing the patch.
CVE-2022-0847 affects Linux Kernel 5.8 and later versions (possibly even earlier ones), and has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102 and the latest Android kernel.
Organizations that develop various Linux distrubutions have also been notified about it in February and are working on testing their packages for the flaw and fixing it where found and exploitable (SUSE, Red Hat, Debian).