Researcher Max Kellermann of CM4all has discovered a dangerous vulnerability in the Linux kernel which could potentially be exploited by hackers to gain full access a network. The vulnerability is being called "Dirty Pipe" (which is in reference to a similar 2016 Linux vulnerability "Dirty Cow") and works by leveraging a bug found in the Linux pipe command which can result in the elevation of system privileges once they find a way onto a machine. The pipe command is a tool used in Linux/Unix that chains together the input/output of common processes in order to harness their combined efforts. Think of a factory’s assembly line passing materials through a series of individual processes that each play a part in building the final product.
The Dirty Pipe vulnerability is relatively easy to exploit. Scripts that automate the process are already appearing online for download. This attack could be leveraged to install backdoors via SSH key creation, add privileged user accounts to a machine, or manipulate SUID binaries to gain root access. This poses many dangers for Linux users as hackers often find their way into a network through low level service accounts (whose access to the network is limited in scope). In a typical scenario, after gaining access to a machine through a low level user, a hacker would rely on further vulnerabilities within the machine’s environment in order to move beyond their limited access of their entry point. Dirty Pipe could allow a hacker to quickly move into an authoritative role within the environment, essentially giving them the keys to the kingdom. This is what is considered a privilege escalation attack. And in other words, the ability to leverage the Dirty Pipe on a compromised system is akin to sneaking onto a military base dressed as a recruit and being immediately promoted to general.
The vulnerability first appeared in the Linux kernel version 5.8 which was released in August of 2020 and was later fixed in February 2022 after the researcher Max Kellermann notified the Linux security team of the issue. In the following days, Linux patched the bug with the release of kernel versions 5.16.11, 5.15.25 and 5.10.102.
Nearly every distribution of Linux is at risk (Ubuntu, Arch, Red Hat, etc...), even Android devices and Chromebook computers could be affected as they are powered by Linux under the hood. Older Android phones typically run on kernels prior to the vulnerable 5.8 version, so they remain safe, but the same can’t be said for newer devices like the Pixel 6 or Samsung Galaxy S22 which do run on the vulnerable version of the kernel.
If you happen to own a newer Android device, you should check for available security updates as quickly as possible. If you find your device is running a version of the kernel 5.8 prior to 5.10.102, 5.15 prior to 5.15.25, or 5.16 prior to 5.16.11, it may be in a vulnerable state. In this case, you should check frequently for a security patch as it may have not been pushed to your specific device just yet. In the meantime, only run trusted applications on your device and hold off on downloading new ones until the patch has been applied.
For guidance on how to find the kernel version your specific Linux device as well as available updates, see below:
Linux computers:
- Check your kernel version: Enter the following into a command prompt: “uname -r”.
- Check for the security update by referencing your flavor of Linux’s upgrade instructions. For example: “apt update && apt upgrade” on Ubuntu.
Android Devices:
- Check your kernel version: Navigate to Settings > Android Phone > Android Version.
- Check for security updates: Settings > System > System Update.
Chromebook Computers:
- Check your kernel version: Type the following into the browsers address bar: “chrome://system” > scroll to “uname” where you should see “localhost” on the right side of the screen. The kernel version number can be found to the right of “localhost”.
- Check for updates: Settings > About Chrome OS > Check For Updates.
Dirty Pipe is one of the most severe Linux vulnerabilities seen in a while. Its reach and capabilities make it a prime candidate for cybercriminals to leverage in their attacks. In order to stay protected, please ensure your devices are staying up to date with software updates and security patches. If you require assistance, please reach out to us for help.
