Last week Max Kellermann from Ionos, a German webhosting provider, published a new post on Dirty Pipe Vulnerabilities https://dirtypipe.cm4all.com/ Did you already hear about dirty pipe?
Back in 2021 Max found out that there is a vulnerability of Linux systems running kernel 5.8 and newer. And that vulnerability allowed attackers – or could allow attackers – to ultimately override and alter every file on a Linux system, even write protected and immutable ones, and also including system parts.
In fact, there is already an exploit out there. So that vulnerability is currently in exploitation. And you should make sure that you could update. The root cause according to Max was that with Linux, 5.8 bugs or “features” have been introduced, that would allow the systems page cache to be attacked or overwritten by malicious statements. And to make things worse the page cache is used everywhere within a Linux system, even allowing access to write protected and immutable files. And there’s already an exploit out there which is addressing the passwords file of the system and creates a new root password, which is obviously known to the attacker and would allow that attacker to gain full control on such a compromised system.
Good news is: Max also found out how to mitigate from that. Those mitigations have already been incorporated within the most recent versions of the Linux kernel. And that´s it?
There are newer versions of the Linux kernel available, but depending on your distribution and depending on the channel of your distribution you are working in, it could still last a while. The Linux kernel versions that already include those patches are Linux kernel 5.16.11 or newer, Linux kernel 5.15..25 or newer, or Linux kernel 5.10.102 or newer. So, if you happen to be on a distribution already providing you these, roll them out as soon as possible.
If you, for example, are running Red Hat Enterprise Linux, the commercial Linux offered by Red Hat, which is in the market with claims stating that they are more secure and more advanced than others, you get to feel the tough reality: There is no update yet. But this also applies to other distributions, for example, on the Debian Bullseye stable branch the update has not been incorporated.
If you have access to a Linux providing you with different streams, different versions, different branches, whatever you might call them, you could be in luck though, as for example, we found out that the Security or the SID-branches of Debian Bullseye already contain the patched kernels and you could simply use those kernels on your stable version of Debian Bullseye.
To summarize, what can you do to prevent from being exploited:
Lower the attack surface, meaning: Your Linux should not expose an SSH-port to the outside world, if you can prevent that from happening. You should always have your servers in some sort of a special zone where you can only access them using VPN or other means of secure communications. And then and only then use SSH.
Secondly, if available, update as soon as possible. So, you get those new versions of the Linux kernel being rolled out.
Thirdly: If there is no update available, check the other branches of your Linux distribution, if there is something available and at your disposal.
And if that is not working, probably – fourth – compile your own kernel, so you would make sure that you have the latest kernel version available for your distribution.
Again, a lot of effort to be invested into that, but it is worth it.
More information about mitigation of dirty pipes:
https://www.youtube.com/watch?v=73D4BHM5Bnc
https://scs.community/security/2022/03/07/advisory-dirty-pipe/
Comment by Karsten Samaschke.