Revealing an 8-year-old Linux kernel vulnerability, “As Nasty as Dirty Pipe”

Revealing an 8-year-old Linux kernel vulnerability, "As Nasty as Dirty Pipe"

News Summary:

  • The security bug, dubbed DirtyCred by a group of Northwestern University academics, takes use of a vulnerability that was previously undiscovered (CVE-2022-2588) to elevate privileges to the highest level.

  • Researchers have discovered information about an eight-year-old security flaw in the Linux kernel that they describe as “as terrible as Dirty Pipe.”

Researchers Zhenpeng Lin, Yuhang Wu, and Xinyu Xing highlighted that “DirtyCred is a kernel exploitation concept that replaces unprivileged kernel credentials with privileged ones to increase privilege.” In order to gain privileges, DirtyCred takes advantage of the heap memory reuse mechanism rather than overwriting any crucial data fields on the kernel heap.

The researchers claim that the new exploitation technique takes the filthy pipe to a new level and increases its generality and power in a way that makes it applicable to all kernel versions afflicted by the vulnerability.

This entails three steps –

“First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability,” the researchers said.

“Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that Dirty Pipe is not capable of.”

A security flaw in the pipe subsystem known as “Dirty Pipe,” which affects Linux kernel versions starting at 5.8 and is tagged as CVE-2022-0847 (CVSS score: 7.8), enables processes with low privileges to write to any readable file, escalating their privileges.

Because of its resemblance to the 2016 Dirty Cow weakness, the exploitable vulnerability was given that name. The researchers advise separating privileged credentials from unprivileged ones using virtual memory to prevent cross-cache attacks because objects are isolated based on their nature rather than their rights.

We will be happy to hear your thoughts

Leave a reply

Tech Reviews, News and Guides