Dirty Pipeline Is an Awful Linux Mess
As I write this, there’s already a nasty exploit out there using the latest Linux kernel vulnerability, Dirty Pipeline, for any J. Random Luser to overwrite root’s password field in /etc/passwd. The experts at LWN.net called it a “disconcerting kernel vulnerability.” I call it a “shoot me now” security problem.
But let’s not do that, shall we? Here’s the 411 on Dirty Pipeline, aka CVE-2022-0847. Web host sysadmin and programmer Max Kellermann found the security hole back in 2021, but he wasn’t at first sure what was going on. After a lot of blood, sweat, tears, and research Kellermann tracked down the problem to changes in the Linux kernel that became critical in Linux 5.8. With this update, Kellermann wrote, “it became possible to overwrite data in the page cache, simply by writing new data into the pipe prepared in a special way.”
It Gets Worse
OK, that’s bad. But there’s much worse to come. Kellermann found that “To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”
Oh My God.
If this rings a faint bell, it should. 2016’s Dirty Cow Linux bug had similar characteristics. But, as Kellermann observed, “but is easier to exploit.”
Fabulous. Absolutely fabulous.
Red Hat gives it a 7.8 Common Vulnerability Scoring System (CVSS) rating. That’s high. Personally, I’d be tempted to call it worse than that. Besides the exploits already out there, as I read the code and Kellermann’s excellent step-by-step description of how he found Dirty Pipeline, I’m sure there are other ways to abuse this security vulnerability.
This is what this means for you. Any distro using the Linux kernel is vulnerable in versions 5.8 and forward. That means pretty much all your production Linux distributions are vulnerable.
Good News, Bad News
The good news is the Linux Kernel Security team has fixed the vulnerability in Linux 5.16.11, 5.15.25, and 5.10.102. So, get to work patching your Linux distributions as soon as possible.
The bad news is that as of Monday evening on the US East coast, not all distributions have released patches yet. For example, Red Enterprise Linux Server (RHEL) 8 can be attacked and Red Hat states “Currently there is no mitigation available for this flaw.” The same is true of the recent Ubuntu distributions.
Usually, at this point in the article, I’d tell you to patch your operating system as soon as possible. This time, I’m telling you to keep an eagle eye on your systems for any funny business and be ready to patch your Linux the moment a patch is available for your distribution.
Or, if you’re up to the job, and think eliminating this problem is worth taking a chance, update test versions of your production system with a do-it-yourself kernel upgrade to 5.16.11, 5.15.25, or 5.10.102. If you don’t run into any show-stopping regression or bugs in your software stack, you can then try rolling your homebrew fix out to production until your official patch is available.