The Dirty Pipe vulnerability allows attackers to overwrite data in read-only files and to privilege themselves with code injection.
A new high-severity vulnerability for Linux known as ‘Dirty Pipe’ should be kept in mind by all users. It is similar to CVE-2016-5195 ‘Dirty Cow’ but is easier to exploit. Furthermore, due to the ease with which this vulnerability may be used to obtain root access, it will only be a matter of time before threat actors start exploiting it in their attacks.
On March 7, 2022, the security researcher Max Kellermann responsibly disclosed the ‘Dirty Pipe’ vulnerability and stated that it affects Linux Kernel 5.8, which was released in August 2020, and later versions. Kellerman discovered the vulnerability while investigating a bug that was causing one of his customers’ web server access records to be corrupted.
CVE-2022-0847, aka ‘Dirty Pipe’, describes a vulnerability that allows non-privileged user to inject their data into sensitive read-only files, including SUID processes that execute as root.
However, Linux computers aren’t the only ones at risk. Because Android is based on the Linux kernel, any device running version 5.8 or later is vulnerable, putting a large number of people at risk. The Google Pixel 6 and Samsung Galaxy S22, for example, use Linux kernel 5.10.43, making these popular devices vulnerable.
To exploit the CVE-2022-0847 vulnerability, attackers must have access to the host. Then, they can create a pipe, fill it with arbitrary data, empty it by leaving the
pipe_buffer flag in the
pipe_inode_info ring, opening the destination file with
O_RDONLY, then write arbitrary data into the pipe.
The Dirty Pipe vulnerability applies to Linux kernel version 5.8 and higher. That puts the kernel versions 5.10, 5.15, and 5.16, which are officially supported, at risk. As of the time of writing, the major Linux distributions have released dedicated security bulletins to help mitigate the vulnerability.
Luckily, the vulnerability was fixed in Linux kernel 5.10.102, 5.15.25, and 5.16.11. Therefore, if you have a version that is at or above one of those, you’re OK.
So, if you’re a Linux 5.x user, check your kernel version. Simply run the below command to print your kernel release.
The best recommendation, like with any Linux kernel vulnerability, is to upgrade periodically and reboot the host afterward to confirm that the patch is in effect.