Mar 09, 2022 23:00:00

A critical elevating vulnerability was discovered in the Linux kernel, affecting Android devices

A vulnerability has been discovered in which the Linux

kernel , which is also installed in Android devices, can be overwritten with arbitrary files. Files that require root privileges can also be overwritten and privilege escalation can be performed, which is extremely impactful.

The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation
https://dirtypipe.cm4all.com/

As the name 'Dirty Pipe (CVE-2022-0847)' means, this vulnerability is caused by a pipe that handles communication between multiple programs on Linux. Linux has a mechanism called ' page cache ' that speeds up the reading speed when accessing again by storing the file once read as a cache in the memory, but by using Dirty Pipe, through the pipe Any area of the page cache can be freely rewritten.

With this vulnerability alone, the attack target is only the cache on the memory, so it is said that it can attack without leaving a trace because it does not rewrite the actual file, and due to the characteristic of rewriting only the cache, it is read-only such as CD-ROM. It is also possible to rewrite the data of. Through this cache rewrite, it is possible to illegally create an SSH key or create a user and grant root privileges.

There is a fundamental problem with the Linux kernel code, so there is no workaround other than updating Linux to a fixed version. This vulnerability was reported to the kernel security team on February 20, 2022, and was fixed in the February 23 update. The modified version numbers are '5.16.11', '5.15.25', and '5.10.102'. However, it is said that the Linux kernel code contains this vulnerability in version '5.8', so if you are using a version earlier than 5.8, you do not need to take any action.

Android using Linux is also affected by this vulnerability. Google merged the patch into the Android kernel on February 24th. Check 'Kernel version' from 'Settings'-> 'Device information'-> 'Android version' to see if your Android device has this vulnerability. If this version is less than 5.8, there is no problem, but if it is 5.10 series, it has a vulnerability if the third number is less than 102, 5.15 series has the third number less than 25, 5.16 series is less than 11. If so, it is vulnerable and needs to be updated. For example, in the image below, the kernel version is '5.10.43' and the third number is '43', so it can be said that it has this vulnerability.

Researcher Max Kellerman , who discovered the vulnerability, has summarized the technical details of this problem, such as the background to the discovery and the proof-of-concept code.