Linux "Dirty Pipe" vulnerability allows root access to local users
Linux "Dirty Pipe" vulnerability affects Linux Kernel 5.8 and later versions, even on Android devices, allowing a non-privileged user to inject and overwrite data in read-only files.
The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. This leads to privilege escalation because unprivileged processes can inject code into root processes.
The Proof of Concept has been released to demonstrate how a non-privileged user can modify a read-only file, to then take advantage of this modification.
The perfect example is when modifying the /etc/passwd file that contains the users on a system. By removing the "X" flag behind the "root" user, root will not be required to provide a password, therefore a normal user would be able to elevate its privileges by running "su root" and will not be prompted for the root password !
Being a local exploitation, the attacker needs to be a local user of the Linux system. Therefore the most affected environments are those that allow shared console access to the system, as in the case of hosting and Cloud providers, universities, and in general multi-user Linux systems.
The recommendation is to urgently upgrade to Linux Kernels v5.16.11, 5.15.25 and 5.10.102
Max Kellermann's analysis and responsible disclosure
Link to Linux Kernel upgrades
The Bleeping Computer article
The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root. This leads to privilege escalation because unprivileged processes can inject code into root processes.
The Proof of Concept has been released to demonstrate how a non-privileged user can modify a read-only file, to then take advantage of this modification.
The perfect example is when modifying the /etc/passwd file that contains the users on a system. By removing the "X" flag behind the "root" user, root will not be required to provide a password, therefore a normal user would be able to elevate its privileges by running "su root" and will not be prompted for the root password !
Being a local exploitation, the attacker needs to be a local user of the Linux system. Therefore the most affected environments are those that allow shared console access to the system, as in the case of hosting and Cloud providers, universities, and in general multi-user Linux systems.
The recommendation is to urgently upgrade to Linux Kernels v5.16.11, 5.15.25 and 5.10.102
Max Kellermann's analysis and responsible disclosure
Link to Linux Kernel upgrades
The Bleeping Computer article