“Dirty Pipes” in the Kernel

A few years ago, a vulnerability dubbed “Dirty Cow” (CVE-2016-5195) was in the spotlight for a while. It was a trivially exploitable privilege escalation path that basically affected any Linux distribution and was exploited in the wild extensively. That vulnerability abused the Kernel’s Copy-On-Write (COW) mechanism and was sometime later found to be remotely exploitable through web servers that allowed file uploads.

On the 7th of March of 2022, a similar vulnerability was disclosed, also affecting all recent Linux distributions, nicknamed “Dirty Pipe” (CVE-2022-0847). It lets an unprivileged user overwrite any file, or part of a file, in a Linux system, even read-only ones. Several variants have already been disclosed that allow for the replacement of SUID files.

Patches for CVE-2022-0847 will be made available through KernelCare in the coming days, and this post will be updated with availability information as each becomes ready. At this moment, vulnerable kernel versions include 5.8 and onwards, with the flawed commit having been backported to multiple 4.x versions as well.

[Update 9th March: Updates for RHEL 8 and Oracle EL 8 are now available for deployment. Further patches are being prepared for other distributions.

Update 10th March: Updates for CentOS8, Almalinux 8, Rocky Linux, Ubuntu 20.04, CloudLinux 8 and CloudLinux 7h are also completed and are going to show up on feeds.

Update 11th March: Another batch of updates released for Ubuntu 18.04, Proxmox VE5 and Proxmox VE6.]

To understand the underlying flaw behind CVE-2022-0847, it is important that we first offer some brief information regarding CVE-2016-5195. “Dirty Cow” was possible because a race condition was found in the Copy-On-Write subsystem within the kernel. As a result, an unprivileged user could write in otherwise unreachable memory locations through this flaw. This would “dirty” those memory locations, hence the name. Moving from this to an elevation of privilege is a trivial operation for any properly motivated malicious actor, and in fact, that is precisely what happened. While “Dirty Cow” started as a local-only exploit, it was soon discovered that web servers that had the option to accept uploads from users could also be used as an attack vector. Hence, the vulnerability turned out to be remotely exploitable.

Fast forward a few years, and now IT teams are faced with “Dirty Pipe”, or CVE-2022-0847 if you think nicknaming vulnerabilities is not a very professional thing to do. As the name suggests, the flaw this time lies in the pipe handling code. Pipes are used as a way to pass information between processes. The most visible way pipes are used is when chaining commands, passing the output from one to the next through a “pipe”. Note that pipes can be created directly in code rather than simply used in the shell by an end-user or script.

It turns out that code introduced in this commit to the Linux Kernel “refactored” the way pipe flags (a way to control pipe behavior) are handled. You can read the extensive process behind the discovery of this vulnerability here.

Long story short, it became possible to write user-controlled content at an also user-controlled location in any file within the system (note that, since everything in a Linux system is technically a “file”, new variants of this vulnerability may introduce new, as-of-yet unknown behaviors). For example, introducing new content into /etc/shadow, or other, more subtle, ways of manipulating a system.

Since the exploit code is trivial, it is already widely available online (while not a deterrent, we try to refrain from posting direct links to exploit code on our blog). Because pipes are a basic functionality of the Kernel, the potential risk posed by this vulnerability is very high. It is also noteworthy that several variants have already been found, where the same flaw is used to abuse other system components rather than just writing directly to otherwise unwritable files. It is not that far-fetched to imagine that remotely exploitable attack vectors will surface in the coming days, just like they appeared for “Dirty Cow” in 2016.

For a quick check customers might want to verify the kernel version in use. Kernels before 5.8 and starting with 5.16.11, 5.15.25, 5.10.102 are not affected. Other Kernel versions may depend on specific backporting policies by each vendor and are currently being evaluated.

Updates for RHEL 8, Oracle EL 8, CentOS8, Almalinux 8, Rocky Linux, Ubuntu 18.04, Ubuntu 20.04, Proxmox VE5, Proxmox VE6, CloudLinux 8 and CloudLinux 7h are now available for deployment through KernelCare Enterprise. Further patches are being prepared for other distributions. IT teams are strongly encouraged to patch this vulnerability as soon as possible. TuxCare’s patches for KernelCare Enterprise will be made available shortly, and this post will be updated to reflect the actual availability of these patches when each is released.

TuxCare’s KernelCare Enterprise is providing live patches for “Dirty Pipe” even when the original distribution vendor is not able to do so with their own live patching solution.

Through KernelCare Enterprise, receiving patches for this and other vulnerabilities can be done without disrupting running workloads or having to reboot systems. If you would like to know more about KernelCare Enterprise and other TuxCare products, please check here.

Thought Spectre is history? It’s still alive, and kicking

Thought Spectre is history? It’s still alive, and kicking

Cyber threats come and go, but some threats leave a lasting imprint due to their impact. Think of Spectre and the closely related Meltdown, for example, two of the most widely covered vulnerabilities in recent memory.

It is of course frustrating when a cyber threat simply refuses to go away, and even worse when it is a highly prominent vulnerability. That’s turning out to be the case with Spectre, one of the most dangerous exploits of recent times. While patched systems are protected against Spectre, the nature of Spectre patches and the resulting impact on performance means that a large number of systems have not been patched..

Continue reading “Thought Spectre is history? It’s still alive, and kicking”

Identify, mitigate & prevent buffer overflow attacks on your systems

How to identify, mitigate and prevent buffer overflow attacks on your systemsBuffer overflow vulnerabilities remain a common way in which cyber criminals gain illegal entry into computer systems. According to the National Vulnerability Database, there has been a steady increase in reported buffer overflow vulnerabilities over the decades – with 842 reported just last year.

Continue reading “Identify, mitigate & prevent buffer overflow attacks on your systems”

Remote code execution attack: what it is, how to protect your systems

Remote code execution attack: what it is and how to protect your systemsCybercriminals use a range of strategies to target vulnerable systems – and remote code execution (RCE) attacks are one of the most common strategies. Indeed, according to the 2020 Global Threat Intelligence Report from NTT, RCE attacks were the most common attack technique observed – followed by injection attacks.

Continue reading “Remote code execution attack: what it is, how to protect your systems”

The Hidden Costs of a Data Breach That Could Last Years

The Hidden Costs of a Data Breach That Could Last YearsSoftware bugs and vulnerabilities often lead the way to massive security breaches via exploitation. These breaches spawn heavy costs to the organization in well-known monetary fees and penalties, but there are several unforeseen costs that affect the organization internally and publicly.

Continue reading “The Hidden Costs of a Data Breach That Could Last Years”

KernelCare Patches for Cross-layer Attack Have Been Released

KernelCare Patches for Cross-layer Attack Have Been Released

A new vulnerability (CVE-2020-16166) in pseudo random number generator (PRNG) was found by Amit Klein, vice president of security research at SafeBreach and a security researcher at Israel’s Bar-Ilan University.

The vulnerability opens the door to Cross-Layer Attacks, a new hacking technique that raises a risk of DNS cache poisoning and that can enable the unauthorized identification and tracking of Linux and Android devices.

KernelCare patches for Debian 10, Debian 8, Oracle Linux UEK 5 and 6, Ubuntu 18.04, 20.04 are already available. Patches for RHEL 8 & Oracle Linux UEK 4 will be released early next week. Continue reading “KernelCare Patches for Cross-layer Attack Have Been Released”

KernelCare+ Patches For CVE-2020-1971 Are Here

KernelCare+ Patches For CVE-2020-1971Big news from the OpenSSL team – they issued the fix for a new CVE-2020-1971 that causes servers’ disruptions via x509v3 certificate fields. The good news is that it cannot result in data theft; however, it has the ability to shut down your servers and paralyse the company’s operation flows. OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue. Other OpenSSL releases are out of support, have not been checked and with high probability will not be addressed by the vendor. 

Right now, the KernelCare Team is doing a delicate work of porting the vendor’s 1.1.1 patches to v.1.1.0 and enriching it with the live patching technology. The rebootless patches for both supported and unsupported versions of OpenSSL will be delivered in 24 hours for CentOS6, and 7 with the patches for the rest supported distributions released later this week.

Continue reading “KernelCare+ Patches For CVE-2020-1971 Are Here”

Keeping Your Company Data Safe From Ransomware on Linux

Keeping Your Company Data Safe From Ransomware on LinuxIn this article, we explore ransomware, specifically the unique way it attacks Linux-based systems.

“It was called a tribute before a battle, and a ransom afterwards”.

This famous quote from English author T.H. White represents the delicate balance required to keep cyber attackers at bay. Your company pays tributes to security staff, an IT department, and anti-malware vendors as much as possible to keep your Linux servers secure.

Continue reading “Keeping Your Company Data Safe From Ransomware on Linux”

A Guide to Memory Vulnerabilities in the Linux Kernel

A Guide to Memory Vulnerabilities in the Linux Kernel

Most cyber-attacks are financially motivated, so attackers constantly come up with new ways to breach data. While the amount and sophistication of such attacks are constantly increasing, most of them are based on memory-corruption vulnerabilities—a problem that has been persisting over the last four decades. To better fight against cyber-attackers, administrators who understand memory corruption can leverage this knowledge to proactively defend infrastructure. This guide will provide administrators with information to help them better understand memory corruption and the aftermath should an attacker exploit the vulnerability.

Continue reading “A Guide to Memory Vulnerabilities in the Linux Kernel”

Rebootless Patches for ‘BleedingTooth’ are on the Way

Rebootless_Patches_for_BleedingTooth_are_on_the_WayGoogle security researchers recently found a flaw in the way the Linux kernel’s Bluetooth implementation handled L2CAP packets with A2MP CID.  A remote attacker in range could use this flaw to crash a targeted system causing a denial-of-service or potentially execute arbitrary code on the system by sending a specially crafted L2CAP packet. All Linux distributions are affected, but the exploit is only possible if you have devices connected via Bluetooth to your infrastructure.

Continue reading “Rebootless Patches for ‘BleedingTooth’ are on the Way”