Basic search

K
thnThe Hacker NewsTHN:7653AAD966BDC7D71A9D1981CA662AC3
HistoryAug 22, 2022 - 1:05 p.m.

"As Nasty as Dirty Pipe" — 8 Year Old Linux Kernel Vulnerability Uncovered

2022-08-2213:05:00
The Hacker News
thehackernews.com
214

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

Linux Kernel vulnerability

Details of an eight-year-old security vulnerability in the Linux kernel have emerged that the researchers say is “as nasty as Dirty Pipe.”

Dubbed DirtyCred by a group of academics from Northwestern University, the security weakness exploits a previously unknown flaw (CVE-2022-2588) to escalate privileges to the maximum level.

“DirtyCred is a kernel exploitation concept that swaps unprivileged kernel credentials with privileged ones to escalate privilege,” researchers Zhenpeng Lin, Yuhang Wu, and Xinyu Xing noted. “Instead of overwriting any critical data fields on kernel heap, DirtyCred abuses the heap memory reuse mechanism to get privileged.”

This entails three steps -

  • Free an in-use unprivileged credential with the vulnerability
  • Allocate privileged credentials in the freed memory slot by triggering a privileged userspace process such as su, mount, or sshd
  • Operate as a privileged user

The novel exploitation method, according to the researchers, pushes the dirty pipe to the next level, making it more general as well as potent in a manner that could work on any version of the affected kernel.

Linux Kernel vulnerability

“First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability,” the researchers said.

“Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that Dirty Pipe is not capable of.”

Dirty Pipe, tracked as CVE-2022-0847 (CVSS score: 7.8) and affecting Linux kernel versions starting from 5.8, refers to a security vulnerability in the pipe subsystem that allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation.

The exploitable vulnerability was so called after the Dirty Cow vulnerability discovered in 2016 based on their similarities.

Given that objects are isolated based on their type and not privileges, the researchers recommend isolating privileged credentials from unprivileged ones using virtual memory to prevent cross-cache attacks.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

Related for THN:7653AAD966BDC7D71A9D1981CA662AC3