Sunday, January 29, 2023

Linux most high-severity vulnerability in years

Must read

Linux is a high-severity vulnerability that allows for users who are not trusted to execute software capable of performing numerous dangerous actions, including installing backdoors, establishing unauthorized user accounts, and altering binaries or scripts that are used by privilege-based applications or services.

Dirty Pipe The Dirty Pipe vulnerability, as the vulnerability is identified, is among the most significant Linux vulnerabilities that have been revealed in the last year, when another extremely serious and easy-to exploit Linux vulnerability (named Dirty Cow) was discovered because it was employed to hack into the server of a researcher. Researchers in 2016 revealed the way to exploit Dirty Cow to root any Android phone regardless of operating system version. In the following 11 months researchers discovered 1200 Android apps on third-party platforms that made use of the flaw to accomplish exactly that.

If nobody becomes all-powerful

Dirty Pipe’s name Dirty Pipe is intended to signal the similarity to Dirty Cow and also provide clues as to the vulnerability’s root. “Pipe” refers to a pipeline which is which is a Linux mechanism used by an OS process to pass information into another. A pipeline is a set of processes that are linked to ensure that the output message for one program (stdout) is directly passed in the form of the input (stdin) on to the subsequent one.

CVE-2022-0847 was identified as the vulnerability was discovered when an analyst for the website builder CM4all was attempting to fix a set of corrupted files showing up on a client’s Linux machine. After months of research the researcher was able to determine that the corrupted files resulted from an issue that was present in the Linux kernel.

Max Kellermann, the researcher at CM4all parent company Ionos came up with a method to exploit the vulnerability to permit anyone who has an account, including accounts with the lowest privileges “nobody” accounts–to add an SSH key to the account of the root user. By doing this, an untrusted user can remotely access the server through an SSH window that is granted full privileges as a root.

Others have quickly demonstrated that the unauthorized development of an SSH key was just one of many harmful ways attackers could take to exploit the vulnerability. This software is an example. It takes over an SUID file to make a root-shell and this program permits untrusted users to write over data from read-only files.

Other harmful actions that can be enabled by Dirty Pipe include the creation of an script which acts in the form of a reverse-door affixing the new account of a user to /etc/passwd and the /etc/ shadow directory (giving the account the root rights) and altering the code or binary that is used by a trusted service.

linux etc/passwd

“It’s about as severe as it gets for a local kernel vulnerability,” Brad Spengler who is director of Open Source Security, wrote in an email. “Just like Dirty Cow, there’s essentially no way to mitigate it, and it involves core Linux kernel functionality.”

The vulnerability first became apparent with Linux kernel version 5.8, which was released in August of 2020. The issue remained until the end of last month, and was repaired by version 5.16.11, 5.15.25, and 5.10.102. Nearly all versions from Linux have been affected.

Throwing a wrench into Android

Dirty Pipe also afflicts any version of Android that is built upon any of these weak Linux kernels. Because Android is so dispersed the affected devices can’t be identified on a consistent basis. The most current versions of Android for the Pixel 6 and the Samsung Galaxy S22 for example, are running 5.10.43 which means they’re susceptible. The Pixel 4 on Android 12 is running 4.14 and is not affected. Android users can find out which version of the kernel their device runs by visiting settings > about phone Android version.

“The Dirty Pipe vulnerability is extremely serious in that it allows an attacker to overwrite–temporarily or permanently–files on the system they should not be able to change,” Christoph Hebeisen, head of security research at mobile security provider Lookout, wrote in an email. “Attackers can use this to change the behavior of privileged processes, effectively gaining the capability to execute arbitrary code with extensive system privileges.”

The Lookout researcher has revealed that the vulnerability could become exploited by Android phones by a malicious application which increases its privileges which are by default to be restricted. Another method of attack, according to him it is to exploit another attack to gain only a limited execution (for instance, by using the system rights of an authentic application that’s been compromised) and then combine it with the Dirty Pipe which allows the program to gain an unfettered root.

Although Kellermann claimed that Google has merged the fix to his fix for the Android kernel on February 1, there aren’t any indications that Android versions that are based on a vulnerable version the Linux kernel have been fixed. It is recommended that users assume that every device running a version of Android that is based with a weak version the Linux kernel is at risk of Dirty Pipe. Google representatives haven’t responded to an email asking for comment.




Please enter your comment!
Please enter your name here


Latest article