If you’re running a Linux distro on your computer or use an Android smartphone, you should install the latest updates immediately as a severe security vulnerability has been found and patched in the Linux kernel.
The vulnerability, tracked as CVE-2022-0847 and dubbed “Dirty Pipe”, was discovered by a software developer named Max Kellerman at the web hosting company IONOS earlier this year.
According to a detailed blog post published by Kellerman, he first became aware of the vulnerability present in the Linux kernel since 5.8 after receiving customer complaints about corrupted files. After the same problem occurred multiple times after the first report, Kellerman was able to recognize a pattern and discover that the cause of the error was in the Linux kernel itself.
Following his discovery, Kellerman informed the Linux kernel team the same day and it quickly provided a patch for the issue. A security update has now been rolled out to all affected Linux versions and Google has also updated the Android operating system which is based on a modified version of the Linux kernel and other open source software.
Dirty Pipe vulnerability
If left unpatched on vulnerable systems, Dirty Pipe can be exploited by an attacker to gain complete control over affected computers and smartphones. With this access, they would be able to read users’ private messages, compromise banking apps and more.
Generally speaking, Linux allows precise permissions for reading, writing or executing files to be defined for each file. However, an error in the way memory is managed for communication between different processes (by means of so-called pipes) made it possible for an attacker to bypass these protection mechanisms.
The Dirty Pipe vulnerability affects all Linux systems from kernel version 5.8 on as well as Android devices running untrusted apps. While untrusted apps are usually isolated from the operating system as much as possible, the flaw could still be reproduced according to a recent email from IONOS.
Although the problem was quickly fixed by making a small adjustment to the source code of the Linux kernel, IONOS waited until patches for Dirty Pipe were widely rolled out before publishing additional details on the vulnerability.