Linux distributions are within the means of issuing patches to deal with a newly disclosed safety vulnerability within the kernel that might enable an attacker to overwrite arbitrary information into any read-only recordsdata and permit for an entire takeover of affected methods.
Dubbed “Soiled Pipe” (CVE-2022-0847, CVSS rating: 7.8) by IONOS software program developer Max Kellermann, the flaw “results in privilege escalation as a result of unprivileged processes can inject code into root processes.”
Kellermann mentioned the bug was found after digging right into a help difficulty raised by one of many prospects of the cloud and internet hosting supplier that involved a case of a “stunning type of corruption” affecting net server entry logs.
“A flaw was present in the best way the ‘flags’ member of the brand new pipe buffer construction was missing correct initialization in copy_page_to_iter_pipe and push_pipe features within the Linux kernel and will thus comprise stale values,” Pink Hat defined in an advisory printed Monday.
“An unprivileged native consumer might use this flaw to jot down to pages within the web page cache backed by learn solely recordsdata and as such escalate their privileges on the system,” it added.
Pipe, quick for pipeline, is a unidirectional inter-process communication mechanism during which a set of processes are chained collectively such that every course of takes enter from the earlier course of and produces output for the following course of.
Exploiting the weak point requires performing the next steps: Create a pipe, fill the pipe with arbitrary information, drain the pipe, splice information from the goal read-only file, and write arbitrary information into the pipe, Kellermann outlined in a proof-of-concept (PoC) exploit demonstrating the flaw.
Put merely; the vulnerability is excessive danger in that it permits an attacker to carry out quite a few malicious actions on the system, together with tampering with delicate recordsdata similar to /and many others/passwd to take away a root consumer’s password, including SSH keys for distant entry, and even executing arbitrary binaries with the best privileges.
One other damaging motion enabled by Soiled Pipe consists of the flexibility to change recordsdata in container photos, offered a nasty actor has entry to a single container on the host.
“If they’ve that entry and the kernel model is susceptible, they will modify any recordsdata from the picture that was used to create the container that they’ve entry to, or any recordsdata which are mounted learn solely from the underlying host,” Aqua Safety’s Rory McCune mentioned in a report.
“To make this vulnerability extra attention-grabbing, it not solely works with out write permissions, it additionally works with immutable recordsdata, on read-only btrfs snapshots and on read-only mounts (together with CD-ROM mounts),” the researcher mentioned. “That’s as a result of the web page cache is all the time writable (by the kernel), and writing to a pipe by no means checks any permissions.”
The problem has been fastened in Linux variations 5.16.11, 5.15.25, and 5.10.102 as of February 23, 2022, three days after it was reported to the Linux kernel safety group. Google, for its half, has merged the fixes into the Android kernel on February 24, 2022.
Given the convenience with which the safety flaw may be exploited and the discharge of the PoC exploit, it is beneficial that customers replace Linux servers instantly and apply the patches for different distros as quickly as they’re obtainable.