IONOS software developer Max Kellermann recently discovered a critical security flaw in the Linux kernel that could let attackers take over vulnerable systems by overwriting arbitrary data into any read-only file.
Researchers believe the kernel flaw has existed since version 5.8, as it has similarities with “Dirty Cow” (CVE-2016-5195), a vulnerability that surfaced in October 2016.
“A flaw was found in the way the “flags” member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values,” according to a Red Hat security advisory published yesterday.
“An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.”
In other words, the vulnerability could let threat actors perform various operations on the compromised system. For instance, they could remove a root user’s password by tampering with sensitive files such as
/etc/passwd, execute arbitrary binaries with elevated privileges, or enable remote access by adding SSH keys.
To make matters worse, the flaw doesn’t require write permissions and it works on read-only btrfs snapshots, read-only mounts (including CD-ROM) and immutable files. “That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions,” the researcher said.
The vulnerability has been patched in Linux Kernel versions 5.16.11, 5.15.25 and 5.10.102. Considering the threat level of this vulnerability and the ease with which it can be leveraged, users should update their Linux servers and patching their Linux distros as soon as possible.