US warns against active abuse of Dirty Pipe leak in Linux

The US government has issued a warning that attackers are actively exploiting the Dirty Pipe vulnerability in Linux. The vulnerability allows a local user to gain root privileges. Government agencies in the US have been instructed to fix the vulnerability in their systems before May 16.

The vulnerability is called Dirty Pipe because of the insecure interaction between a Linux file, which is stored permanently on the hard drive, and a Linux pipe, which is an in-memory data buffer that can be used like a file. If a user has a pipe to write to and a file it can’t, writing to the pipe’s memory buffer may inadvertently also modify the cached pages of different parts of the disk file.

This causes the custom cache buffer to be written back to disk by the kernel and the contents of the saved file permanently modified, regardless of the file’s permissions. A local user can add an SSH key to the root account, create a root shell or add a cron job that runs as a backdoor and adds a new user account with root rights, but also editing files outside a sandbox is possible.

The Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security maintains a list of actively attacked vulnerabilities and then sets deadlines when federal government agencies should install the update for the affected issue. The list, which provides insight into vulnerabilities that attackers can exploit, is regularly expanded with newly attacked vulnerabilities.

With the latest update, a total of seven newly attacked vulnerabilities have been added to the list. In addition to the Dirty Pipe leak in Linux, it also concerns four vulnerabilities in Windows that allow a local attacker to increase his rights. Microsoft released an update for one of these vulnerabilities (CVE-2022-26904) two weeks ago. According to Microsoft, the vulnerability was not yet attacked at the time the patch was released. That has since changed, according to the CISA, which again indicates how quickly attackers take advantage of revealed vulnerabilities.