If you're running a Linux distro (opens in new tab) on your computer or use an Android smartphone (opens in new tab), you should install the latest updates immediately as a severe security vulnerability has been found and patched in the Linux kernel.
The vulnerability, tracked as CVE-2022-0847 (opens in new tab) and dubbed “Dirty Pipe”, was discovered by a software developer named Max Kellerman at the web hosting (opens in new tab) company IONOS (opens in new tab) earlier this year.
According to a detailed blog post (opens in new tab) published by Kellerman, he first became aware of the vulnerability present in the Linux kernel since 5.8 after receiving customer complaints about corrupted files. After the same problem occurred multiple times after the first report, Kellerman was able to recognize a pattern and discover that the cause of the error was in the Linux kernel itself.
Following his discovery, Kellerman informed the Linux kernel team the same day and it quickly provided a patch for the issue. A security update has now been rolled out to all affected Linux versions and Google has also updated the Android operating system which is based on a modified version of the Linux kernel and other open source software (opens in new tab).
Dirty Pipe vulnerability
If left unpatched on vulnerable systems, Dirty Pipe can be exploited by an attacker to gain complete control over affected computers and smartphones. With this access, they would be able to read users' private messages, compromise banking apps and more.
Generally speaking, Linux allows precise permissions for reading, writing or executing files to be defined for each file. However, an error in the way memory is managed for communication between different processes (by means of so-called pipes) made it possible for an attacker to bypass these protection mechanisms.
> This Linux backdoor went undetected for 10 years (opens in new tab)
> Multiple vulnerabilities put 40 million Ubuntu users at risk (opens in new tab)
> Linux devs fix nasty vulnerability dating back half a decade (opens in new tab)
The Dirty Pipe vulnerability affects all Linux systems from kernel version 5.8 (opens in new tab) on as well as Android devices running untrusted apps. While untrusted apps (opens in new tab) are usually isolated from the operating system as much as possible, the flaw could still be reproduced according to a recent email from IONOS.
Although the problem was quickly fixed by making a small adjustment to the source code of the Linux kernel, IONOS waited until patches for Dirty Pipe were widely rolled out before publishing additional details on the vulnerability.
- We've also highlighted the best endpoint protection software (opens in new tab) and the best firewall (opens in new tab)
