Linux Has Been Bitten By Its Most High-Severity Vulnerability in Years

Cognitive Dissident writes: Ars Technica is reporting a major new vulnerability in Linux. Named "Dirty Pipeline" it involves abuse of 'pipes' at the shell level as you might guess.

The name Dirty Pipe is meant to both signal similarities to Dirty Cow and provide clues about the new vulnerability's origins. "Pipe" refers to a pipeline, a Linux mechanism for one OS process to send data to another process. In essence, a pipeline is two or more processes that are chained together so that the output text of one process (stdout) is passed directly as input (stdin) to the next one. Tracked as CVE-2022-0847, the vulnerability came to light when a researcher for website builder CM4all was troubleshooting a series of corrupted files that kept appearing on a customer's Linux machine. After months of analysis, the researcher finally found that the customer's corrupted files were the result of a bug in the Linux kernel.

Somewhere an expert security engineer

[rsilvergun]

is snickering at the thought of hundreds of professional TV Anchors saying "Dirty Pipeline". Bravo sir! It's been ages since we've pulled one of these over on them.

Re:

[blackomegax]

Linux powers the servers that run 96.5 percent of the top one million domains in the world (as ranked by Alexa)

Weekend hobbyists my arse.

Re:

[Merk42]

I don't think you want to equate popularity with quality, especially with Operating Systems.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DontBeAMoran]

For example, gaming sucks on both macOS and Linux, but is extremely good and popular on Windows. That's proof that macOS and Linux are not toys, but Windows is!!1

Re:

[HiThere]

Well, it's proof that if your main concern is gaming, you should use Windows. Of course, it also depends on which particular games you like. The ones I like don't even run on Windows (though most of their close relatives do).

Re:

[ArchieBunker]

Quietly laughs in BSD.

Re:

[shanen]

Why did you mindless propagate the mindless AC's brain fart Subject? Even if it might have been intended as a joke?

Re:

[NoMoreACs]

Linux powers the servers that run 96.5 percent of the top one million domains in the world (as ranked by Alexa)

  Weekend hobbyists my arse.

Oh, so that's what's wrong with the Internet!
[/s]

Re:

[HiThere]

I think is was a joke, even though people are responding as if he meant it seriously.

That said, it could have been posted by someone who likes BSD. And from their perspective, they might have a point.

Re:

[theshowmecanuck]

It was a troll coming out for a snack.

Re:

[nagora]

...when you use a UNIX wannabe coded by weekend hobbyists instead of an industrial quality OS rigorously constructed by professional programmers at respected companies like Apple Corp. or Microsoft.

Well, that was the laugh we all needed in this dark hour. Thanks.

Re:

[UnknownSoldier]

Not sure if stupid, trolling, or joking but you missed the sarcasm tag at the end.

Given that Microsoft have ...

* More then 50% [microsoft.com] of Azure runs Linux,
* Their own Linux Distribution CBL-Mariner [jreypo.io],
* First started contributing to Linux in 2009,
* Was the fifth largest contributor to the Linux 3.0 kernel having 4% of changes on July 2011,

... then what does that make Microsoft's employees? Respected? Not respected? /s

In case anyone is curious here are some stats for the last few versions of the Linux Kernel and who co

Re:

[bn-7bc]

Pwn2Own, hmm the question I often ask myself (but for some reason always forget to check) is wether the hw running linux is as attractive (from a spec standpoint) as the hw ro\unning OSX/Windows. Here is my point if the linux Powner gets to take home a cheapo Chromebook vs the osc Powner getting a MBP you might get a selection bias in favor of people attacking the MPB because if they win they realize a much bigger potential profit by turning artrond and selling it straight away. So unless all the desktop/l

Re:

[ctilsie242]

I read this same thing on USENET back in the 1990s, along the lines of "Linux is a ragtag OS written by hippies to take money away from real OS makers like Sun, SGI and Microsoft". Some things never change.

Re:

[ehrichweiss]

I honestly would have given anything for Sun and SGI to have come out on top.

Re:

[jellomizer]

The year 2000 called and wants their Troll back.

Re:

[DarkOx]

Why some lefty twit like you says it every other day; usually talking about oil though.

Re:

[Miles_O'Toole]

You are mistaken. When lefties speak of a "dirty pipeline", we're usually referring to what was left in your mom after our farm animals finished running dicks up her birth canal.

I'm glad she didn't try for child support after you came along, though. I bet the bill for your special ed costs was formidable.

Re:

[DarkOx]

That's not a polite way to talk about your siblings and yourself Miles...

Re:

[Miles_O'Toole]

If you were able to read English without help, you'd know I was referring to you. Maybe you'd better go get your mom and ask her to read the comment to you. She'll probably be able to fill in some juicy details. ;-)

Re:

[ArchieBunker]

The only person talking about oil is you.

Re:

[CubicleZombie]

I think the real question is, have they performed deep penetration testing on the dirty pipe?

Only affects kernel 5.8 and later

[Guy Smiley]

Reading the article, one critical bit of information omitted from the summary, and only appearing late in the article is that this bug was first introduced in kernel 5.8, so does not affect common installations like RHEL 8.

Re:

[MagicM]

According to RedHat's page [redhat.com], RHEL 8 is affected.

Re:

[MagicM]

My mistake. Apparently RHEL 8 is simultaneously affected and not affected.

Note that PIPE_BUF_FLAG_CAN_MERGE flag attack vector is not available in Red Hat Enterprise Linux 8 and thus the currently known exploits leveraging this flag do not work. The underlying issue (lack of proper pipe_buffer structure initialization) is still present though and other novel ways leading to successful exploitation cannot be fully ruled out.

Re:

[bill_mcgonigle]

> My mistake. Apparently RHEL 8 is simultaneously affected and not affected.

It may have this vulnerability but it's not affected by this exploit.

Re:

[necro81]

My mistake. Apparently RHEL 8 is simultaneously affected and not affected.

It's a Schrödinger's Exploit.

Re:

[gosso920]

Schroedinger's distro.

Re:

[JustAnotherOldGuy]

My mistake. Apparently RHEL 8 is simultaneously affected and not affected.

It's Schrodinger's vulnerability, so you won't know if it's vulnerable unless you look inside the CPU.

Re:

[gidzero]

Keep in mind, RHEL backports and or cherrypicks commits from upstream into their kernel; so the 4.18 in RHEL8 is plus_plus and minus_minus 4.18 upstream

Re:

[Junta]

RedHat kernels only vaguely resemble the referenced kernel version. It backports a tremendous amount of code from newer versions, and thus the only way to know to the extent a new change relates to a redhat version number is for redhat to explain.

This is a huge pain as some security tools are oblivious to this and gives incorrect results on RedHat (and other distributions to, to some extent, which package backports/security fixes to some arbitrary version of various packages).

In this case, it seems they ha

Re:

[bws111]

That page says this: Note that PIPE_BUF_FLAG_CAN_MERGE flag attack vector is not available in Red Hat Enterprise Linux 8 and thus the currently known exploits leveraging this flag do not work. The underlying issue (lack of proper pipe_buffer structure initialization) is still present though and other novel ways leading to successful exploitation cannot be fully ruled out.

So, no, RHEL 8 is NOT affected by this particular vulnerability.

Re:

[neilo_1701D]

Reading the article, one critical bit of information omitted from the summary, and only appearing late in the article is that this bug was first introduced in kernel 5.8, so does not affect common installations like RHEL 8.

The article further states that the bug was there all along; it was kernel 5.8 that offered an easy way to exploit it.

Re:

[Brain-Fu]

It looks like this is a privilege escalation attack, allowing any account to obtain root privileges. So that means that malicious apps can gain root when run. I didn't see anything about attackers being able to "leap in" using something like a malicious web page or bluetooth transmitter, though. It makes me think people are safe so long as they aren't running sketchy apps.

Does anyone know if there is some way to use this to "push in" to a system if it isn't already running a trojan app?

And anyway, the ar

Re:

[HiThere]

I think it's more dangerous than you are suggesting, but Debian issued an update to stable last night (or was it the night before) so I suspect it's been patched if your system is up to date. And for older installs the system isn't vulnerable to this attack, though the basis of the vulnerability is present.

OTOH, yes, it's a privilege escalation attack. But that means that any attack that's successful on any user can be escalated to a root attack. And this would include vulnerabilities in web browsers and

Re:

[OrangeTide]

FUD? DUM? BUG? it's hard to say.

Re:

[jellomizer]

Isn't the point of Open Source was the idea that all eyes would be able to spot malicious code before it happens.

Re:

[F.Ultra]

No, no one have ever claimed that (except windows-trolls of course).

Re:

[JustAnotherOldGuy]

Isn't the point of Open Source was the idea that all eyes would be able to spot malicious code before it happens.

No, that's not the point, and it never was.

I'm surprised- you're normally pretty sensible about stuff but now I wonder if some douchebag has hacked your account.

LOLOL M$ BAD!

[Merk42]

Oh! This security bug affects Linux? Well...uh.. then it doesn't count.. and will get patched...so it's fine.

Re:LOLOL M$ BAD!

[MancunianMaskMan]

Public disclosure was 12 days _after_ stable releases were patched at kernel.org, (presumably to give distros time to push it downstream).

The guy dug around for months to find the bug, but after he found it, he submitted it to the kernel team (with a patch to fix!) 2 days later. This is a pretty good turnaround compared to commercial competitrors' vuln fix timelines.

The whole story here: https://dirtypipe.cm4all.com/ [cm4all.com]

Re:

[dargaud]

That's an exciting read. Like a thriller for debuggers !

Re:

[140Mandak262Jamuna]

We owe a lot to people like Max Kellerman. This bug would be worth a lot in the black market.

He was not tempted by the dark side of the Force.

Re:

[skovnymfe]

https://xkcd.com/705/ [xkcd.com]

Re:

[notsouseful]

How long between disclosure and patch availability? I'm guessing a few days to a week here...Windows, there's been CVEs that lasted months after disclosure.

There is a write-up by Max Kellermann [cm4all.com], the initial reporter, about the bug and exploit which includes a timeline near the bottom.

Re:

[shaitand]

Not to mention in windows land they are commonly remote exploitable. This is a local escalation so the attacker still needs to already have access to the machine.

Re:

[jbengt]

. . . will get patched . . .

Already been fixed last month.

Re:

[OrangeTide]

Feb 21 2022 [kernel.org]

Last month technically, more like 2 weeks by my reckoning.

Re:

[phantomfive]

Privilege escalation bugs are common in every OS. The reason is because there is a massive attack surface (the OS syscall interface) that was mostly designed without security in mind. It is also why Windows has more security problems than Linux, because the interface exposed is much larger.

The end result is that you should not rely on local privileges as the primary defense in your security model. It can be helpful part of a defense in depth, but it should not be the primary defensive layer (especially sinc

Re:

[OrangeTide]

Not found in OpenBSD. No need to jump over to MS just yet.

Re:

[shaitand]

No no I'm letting you have this moment. They are so rare for you M$ guys.

By 'most severe vulnerability in years' they still just mean a local priv escalation though.

Re:

[iggymanz]

only affects Linux with bleeding edge kernel... not a concern to most of us running stable long term patched stuff.

*yawn*

Re:

[ebvwfbw]

So it's not just me. I tried a bunch of test VM systems I have. Some of them with some 6 month old kernels. Nothing happens. It says it's successful. It wasn't.

Yes, *Yawn*. By the title you'd think - run over the women and children! This needs to be fixed NOW!

I told you!

[Tablizer]

You should have used Win~& v` f}*q [NO CARRIER]

Re: I told you!

[TwoOperands]

We know you're joking but there's going to be knee-jerk OS swapping going on. Every OS has its troubles but we should never dogpile on it if the authors reveal the issues in good faith. Note that if this had occurred in Windows or OSX then you probably wouldn't find out until after you're hacked. Then the vendor will claim you're holding it wrong. Either way your insurance claim is going to fail but at least Linux never tried to say it was 100% bug-free. It isn't. No software is.

Re:

[OrangeTide]

Swap our your old Linux for a shiny new Linux and then you won't have this bug. It's kind of why enterprise customers pay Red Hat, SUSE, etc.

Re:

[sjames]

OTOH, I upgrade only when necessary and prefer LTS distro versions, so no kernel I'm using has the vulnerability. When upgrade time comes, I'll skip the vulnerable versions.

LTS releases are not immune to exploits

[OrangeTide]

It should be present in Ubuntu 20.04.4 (Focal Fossa) LTS running kernel 5.13 (the flaw is in kernel 5.8 and later). When I checked, Canonical hasn't updated their page on the issue. [ubuntu.com]. I but I expect "needs triage" to move to "vulnerable" in short order.

While you wait for an exploit known for over 2 weeks to be fixed, you can feel comforted that a fix will eventually arrive thanks to the Long-Term Support guarantees.

Re:

[sjames]

I'm still on 18.04.6 (Bionic Beaver) because I didn't need to upgrade yet and it is still within support.

Focal Fossa ships with kernel 5.4 (not vulnerable).

Re:

[OrangeTide]

If you update on Focal Fossa you get 5.13 because you'll be moved onto 20.04.4.

Ubuntu 20.04.0 and 20.04.1 LTS ships with v5.4
Ubuntu 20.04.2 LTS ships with v5.8
Ubuntu 20.04.3 LTS ships with v5.11
Ubuntu 20.04.4 LTS ships with v5.13

But remember that 20.04.0 has fallen out of LTS. and is now in ESM (Extended Support Maintenance).

You're pretty safe if you're on v5.4 though. It doesn't falls out of support until year 2025. After that you'll want to consider moving to v5.15 to take you out to yeare 2027.

Re:

[sjames]

Booting the 5.4 kernel remains an option though and the packages are still there. So nobody's stuck.

Details ...

[kbahey]

Here are the details [cm4all.com] from the person who discovered the vulnerability.

Note that the vulnerable kernels are 5.16.x, 5.15.x and 5.10.x. So if you are running, for example, Ubuntu 20.04 LTS (like I am), you are not vulnerable since it has 5.4.0.

Re:

[omfglearntoplay]

Good to know the LTS / long term support release was more stable as we would all hope. And thanks for the post, I can rest easy over here myself as I'm also on the 20.04 LTS version.

Well ...

[fahrbot-bot]

"Pipe" refers to a pipeline, a Linux mechanism for one OS process to send data to another process.

A Unix mechanism to be sure, having pre-dated Linux by 20 years.

Re:

[bill_mcgonigle]

> A Unix mechanism to be sure, having pre-dated Linux by 20 years.

For those interested, I had the guy who came up with the idea present to our LUG in 2005. Ancient camcorder warning!

https://archive.org/details/Do... [archive.org]

Somewhat limited relevancy

[gweihir]

First, it only applies to kernels 5.8 and newer. I found one in my collection in Gentoo. My Debian installations (oldstable) are not even affected. This will also make it irrelevant on many Android installations. Second, this is a _local_ privilege escalation. You know, the kind of thing that on Windows does not even get patched out of schedule anymore, because it is so easy to do there. Still a potential problem, but an attacker has to get in first.

So yes, this needs a patch. But any kind of grandiose headline is simply hyperbole.

Re:

[Todd Knarr]

5.8 was released in 2020, it's not a recent version and Ubuntu 20.04 LTS is using 5.15 (assumed vulnerable). Definitely a current issue. And it needs to be addressed because a local root escalation vulnerability like this means that any and all remote code execution compromises/exploits have to be considered remote root escalation vulnerabilities. Fortunately the Linux kernel team had it patched shortly after it was discovered (and before it was announced publicly) and the patches have likely rolled out to

Re:

[Xylantiel]

My Ubuntu 20.04 is using 5.4. Also reported by another poster. At least get your facts right if you're going to get all preachy. And none of your preaching changes the fact that Windows is so rife with local exploits that everyone serious about security just assumes it is impossible to secure against local privilege escalation.

Re:

[gweihir]

My Ubuntu 20.04 is using 5.4. Also reported by another poster. At least get your facts right if you're going to get all preachy.

The preachy idiots do not care about facts. They care about acting all superior and telling everybidy how great and knowledgeable they are. If somebody behaves like this guy, it is a good indicator his information is faulty and his conclusions are worthless.

Re:

[gweihir]

If you have a remote code execution vulnerability, you are already screwed. This does somewhere between nothing and very little to make matters worse. Also, I guess you are unfamiliar with long-term supported kernels. You mau want to correct that shortcoming by looking at www.kernel.org. Here is a hint: 2 of 6 kernels with long-term support are affected.

Re:

[bill_mcgonigle]

> My Debian installations (oldstable) are not even affected.

It appears to me that Debian Stable is unpatched after public disclosure, two weeks after the kernel update and one week after private disclosure to the distros. For a two line patch that's obvious on its face.

I hope I can't read...

Re:

[gweihir]

> My Debian installations (oldstable) are not even affected.

It appears to me that Debian Stable is unpatched after public disclosure, two weeks after the kernel update and one week after private disclosure to the distros. For a two line patch that's obvious on its face.

I hope I can't read...

Debian is slow. A reason to run oldstable, which is not affected. Also, the Debian maintainers are not prone to hysterics, unlike some people here. Patching this is not that urgent. If you have a remote code execution vulnerability, you are already pretty much screwed. If you do not, you typically have no immediate problem.

Re:

[AvitarX]

I would think that completely destroying local security is a pretty big deal.

Isn't it still that the biggest threats are internal?

Re:

[gweihir]

I would think that completely destroying local security is a pretty big deal.

Isn't it still that the biggest threats are internal?

No. The biggest threats are malware and remote exploits. Local exploits are something that you should patch in a timely manner on Linux (i.e. within a few weeks), but nothing to get hectic about. On windows, local exploits are so numerous that you basically assume if anybody gets any local user the machine is fully compromised.

Re:

[gweihir]

To clarify: Yes, the some of the biggest threats from the side of enterprise risk-management are insider-threats. But there is no basically connections to local privilege elevation exploits. Insider threats are about people within an organization abusing rights they legitimately have or illegitimately but within that autorisation framework could obtain, e.g. by claiming to a clueless superior that they need these right to do their job. In almost all cases, these "insiders" are not IT experts and could not u

Re:

[lexios]

It appears to me that Debian Stable is unpatched after public disclosure, two weeks after the kernel update and one week after private disclosure to the distros. For a two line patch that's obvious on its face. I hope I can't read

If you missed the next line just below vulnerable on https://security-tracker.debian.org/tracker/CVE-2022-0847 [debian.org] then yes, read a bit more carefully next time, please.

Re:

[gweihir]

It appears to me that Debian Stable is unpatched after public disclosure, two weeks after the kernel update and one week after private disclosure to the distros. For a two line patch that's obvious on its face.

I hope I can't read

If you missed the next line just below vulnerable on https://security-tracker.debian.org/tracker/CVE-2022-0847 [debian.org] then yes, read a bit more carefully next time, please.

Well, to be fair, regular Bullseye is vulnerable. Bullseye-security is not. There are both good reasons for having the security repo in your sources lists and for not having it in there.

Hurts my soul...

[justinleona]

10 months of debugging staring a couple octets? That's an almost inhuman amount of patience... I'm kinda glad it paid off for him - it's rare to find something like this!

Re:

[Make]

The actual debugging only took me only one (long) day - plus an hour here and there but with no useful result. 10 months is just wallclock time, not user time ;-)

Glad I stayed with WIndows XP

[zwarte piet]

Imagine if I had switched to Linux like everyone wanted me to :O Sometimes it pays to not listen

Re:

[jellomizer]

Did you get CodeRed off your system yet?

Ooof - safety check removed

[bill_mcgonigle]

The real kicker is that the patch [kernel.org] re-enables safety flags that were removed> (line 544). [github.com]

Double-kicker is that Debian apparently hasn't pushed the patch in the week that they had so 'stable' is vulnerable [debian.org]. It's hard to believe, so please correct if I missed it.

Re:

[olau]

If you go to the developer page [debian.org], you can see that it was uploaded to the security repository [debian.org].

The security repository is enabled when you install stable. Why the packages are not just merged directly into stable, I have no idea. Perhaps it has to do with mirroring?

Re:

[bill_mcgonigle]

Update: the package was updated yesterday and propagated overnight.

However, note that the new archive name is 'stable-security'. You might need to update your pins if you upgraded from Buster and you're not seeing the update now. I put in a pull request to add that to the release notes.

Eep, don't let people ssh in as root!

[Khopesh]

The researcher—Max Kellermann of CM4all parent company Ionos—eventually figured out how to weaponize the vulnerability to allow anyone with an account—including least privileged "nobody" accounts—to add an SSH key to the root user's account. With that, the untrusted user could remotely access the server with an SSH window that has full root privileges.

This is one of many reasons why you should never allow root to log in via ssh (the primary reason is for accountability: requiring sud

Re:

[Whatanut]

You're not reading that right. They aren't coming in as root through ssh. They are gaining root in an ssh session. Sudo can be used for this exploit.

See an example screenshot of the exploit in action here:
https://www.bleepingcomputer.c... [bleepingcomputer.com]

Re:

[zwarte piet]

I think you didn't understand it. The attacker can overwrite sudo with their own program that launches a shell without doing any logging or asking passwords. then simply putting sudo back. No one sees anything, except that webserver of yours is now mining bitcoins for them and sending tons of porn spam.

Re:

[Junta]

That's too fixated on the specific example given. In your configuration, the attacker would instead just overwrite /etc/sudoers to achieve the same end.

Root login being disabled in ssh would not work to mitigate this vulnerability.

Not surprising giving Linus and Greg KHs attitudes

[metrix007]

Both of these individuals refuse to recognize security vulnerabilities as something distinct and insist on treating them as "just another bug".

Except they are not. Letting someone silently gain remote access to your system (in a worst case scenario) is much different from a device driver causing a crash or something.

Until the Linux maintainers prioritize security vulnerabilities as they should be, then it's hard to consider Linux secure. Honestly the Linux attitude is pretty much the same attitude Microsoft

patched in 3 ... 2 ...

[hduff]

Done.

Now to update existing installs.

Pipelines, Text

[jrbrtsn]

I see it again in this post where shell pipes are used to pass *text* between processes. This is not correct (at least on *nix), because every byte of output is passed unmolested to the connected process. This is behavior is quite useful fo stuff like this:

ssh remotehost.domain 'tar czf - *' | tar xzf -