Security researchers detailed a Linux vulnerability allowing an attacker to overwrite data in arbitrary read-only files. The vulnerability, known as CVE-2022-0847 or “Dirty Pipe” leads to privilege escalation as unprivileged processes can inject code into root processes. According to security researcher Max Kellermann, it is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit. Dirty Pipe has been a vulnerability in Linux Kernel since 5.8 and has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

Max Kellerman was first made aware of the vulnerability in April 2021 after he received a support ticket about corrupt files. The customer complained that the access logs they downloaded could not be decompressed. After investigation, Max Kellerman found there was a corrupt log file on one of the log servers, which could be decompressed, but gzip reported a CRC error. Max Kellerman fixed the file’s CRC manually and fixed the issue. However, he found that the issue continued to occur.

While Max Kellerman had initially presumed the vulnerability was only exploitable while a privileged process writes the file he later realized it was possible to overwrite the page cache even in the absence of writers, with no timing constraints, at (almost) arbitrary positions with arbitrary data. The limitations included that the attacker must have read permissions and the offset must not be on a page boundary. He also found that the write cannot cross a page boundary and the file cannot be resized.

Max Kellerman submitted the details and a patch to the Linux kernel security team on February 20, 2022. On February 23, the bug fixes were released for Linux (5.16.11, 5.15.25, 5.10.102) and the Android kernel the following day.

Servers running outdated kernel versions are exposed to attacks exploiting this flaw and IT and security operations administrators have been urged to prioritize patching and remediation of the vulnerability to reduce organizational security risks.

By Emily Nicholls