A German coder and security researcher recently posted his findings related to a Linux kernel bug that could give root-level access to remote attackers.
In a post, Max Kellerman called the bug in CVE-2022-0847 “Dirty Pipe,” which allowed overwriting data in arbitrary read-only files, which can lead to privilege escalation. The vulnerability was patched in 5.10.102, 5.15.25 and 5.16.11, but is still vulnerable in 5.8, 5.10, 5.15 and 5.16.
CM4all, the company Kellerman works for, uses pipes in Linux for unidirectional inter-process data communication. Due to a bug that was several years old, it became possible to overwrite data in the page cache by writing new data into a pipe, Kellerman explained.
As Paul Duckin at Sophos’ Naked Security blog succinctly explained:
"He [Kellerman] called the vulnerability Dirty Pipe, because it involves insecure interaction between a true Linux file (one that’s saved permanently on disk) and a Linux pipe, which is a memory-only data buffer that can be used like a file.
"Very greatly simplified, if you have a pipe that you are allowed to write to and a file that you aren’t…
"…then, sometimes, writing into the pipe’s memory buffer may inadvertently also modify the kernel’s temporary in-memory copies – the so-called cache pages – of various parts of the disk file."
There are limitations for the exploit, which are detailed in Kellerman's posting here.