What can Dirty Pipe do?
Recently disclosed by Max Kellermann as CVE-2022-0847 “Dirty Pipe” is a security exploit in selected recent Linux kernel versions. (The kernel is the core of the operating system, it often acts as an intermediary between applications and real hardware.) In short, any application that can read files on your phone / computer – which many Android applications are asking for – could potentially mess with files or run malicious code. It has been shown that on desktop / laptop versions of Linux it is easy to get administrator privileges.
Simply put, this exploit can easily give the attacker full control over your device.
Which devices are affected by “Dirty Pipe”?
Overall, “Dirty Pipe” affects Linux devices – including everything from Android phones and Chromebooks to Google Home devices like Chromecasts, speakers, and displays. More specifically, the bug was introduced in Linux kernel version 5.8, released in 2020, and has remained in future releases.
On the Android side, he noted Ars Technica‘s Amadeo Rum, the injury potential of a “dirty pipe” is much more limited. Most Android devices use an older version of the Linux kernel that is not affected by the exploit. Only devices that started their lives on Android 12 are likely to be affected.
Unfortunately, this means that Android phones such as the Google Pixel 6 series and the Samsung Galaxy S22 series are potentially at risk from “Dirty Pipe”. In fact, the developer who originally discovered the exploit was able to reproduce it on a Pixel 6 and reported it to Google.
The easiest way to check if the problem is with your device is to view your Linux kernel version. To do this, open the Settings app, open “About Phone”, tap “Android Version”, and then look for “Kernel Version”. If you are seeing a version higher than 5.8 – and Google has not yet released a security patch – your device is potentially at risk of the “Dirty Pipe” exploit.
To find the same information on Chrome OS, open a new tab and go to chrome: // system and scroll down to “uname”. You should see something like the text below. If the number after “Linux localhost” is higher than 5.8, your device may be affected.
Do attackers use an exploit?
So far, there are no known cases of using the “Dirty Pipe” exploit to take control of a phone or computer. That said, many developers have shown proof of concept examples of how easy “Dirty Pipe” can be used. It is certainly only a matter of time before Dirty Pipe-based exploits start to appear in the wild.
A recently spotted example (via Max Weinbach) shows that Dirty Pipe is being used for quickly get root access on both Pixel 6 and Galaxy S22 using the proof of concept app. While it has previously been confirmed that an exploit is possible on Pixel 6, this demo, published by Fire30, is the first to show Dirty Pipe in action on an Android phone.
What are Google and other companies doing?
In addition to the initial detection of the Dirty Pipe exploit, Kellermann was also able to identify how to fix it, and submitted a patch to the Linux kernel design shortly after it was privately released. Two days later, newer builds of the supported Linux kernel versions came out that included the patch.
As previously mentioned, the Dirty Pipe exploit was also reported to Google’s Android security team in late February. Within days, a Kellermann fix was added to the Android source code, keeping future builds safe. The Chrome OS team followed suit by opting for the patch on March 7, and the patch will likely roll out as a mid-cycle update to Chrome OS 99.
However, given the novelty of both the exploit and the fix, it seems the issue was not addressed in the March 2022 Android Security Bulletin. At this stage, it is unclear whether a special patch will be created for the affected devices, such as the Pixel 6 series, or whether an exploit will be available for the security patch next month. According to the Android police Ryne HagerGoogle has confirmed that the recent delay in the March Pixel 6 patch is not related to the “Dirty Pipe” exploit.
Update 4/4: On schedule, Google has released an April 2022 patch to the Pixel 6 series and other Pixel phones. However, neither this month’s Android Security Bulletin nor the Pixel patch notes contain any mention of the Dirty Pipe exploit. This suggests that the Dirty Pipe exploit will still be available for the phone at least until the next monthly patch.
Galaxy phones also started receiving the April 2022 update from this week on. However, with Samsung only releasing patch notes towards the end of the month, we can’t yet be sure the Galaxy S22 series is still affected by Dirty Pipe.
Update 5/3: Google has now rolled out the May 2022 security patch for Pixel phones and unveiled a broader Android security bulletin for this month. The bulletin explicitly mentions the Dirty Pipe exploit, which means that any phone with a security update dated May 2022 or later is protected against attacks.
We confirmed that the patch arrived on Pixel 6 devices with the May 2022 update as the phone shows a newer version of the Linux kernel. Since the builds were created in March, they include the Dirty Pipe fix from February. Interestingly, the new kernel version is a bit older than what could be seen in the second beta test of the June Pixel feature drop.
# 1 Friday January 21 06:54:49 UTC 2022
# 1 Mon 7 Mar 01:27:36 UTC 2022
Since the Pixel 6 and Galaxy S22 were the only devices known to have been affected by Dirty Pipe, and any newer devices should be released with the May 2022 update or later, this should mark the end of the Dirty Pipe Android exploit.
How does “Dirty Pipe” work?
For the technically gifted, especially those with Linux experience, Kellermann has published an interesting description of how the “Dirty Pipe” was accidentally discovered and what its basic mechanisms are.
Here’s a (too) simplistic explanation: as the name “Dirty Pipe” suggests, it has to do with Linux’s concepts of “pipes” – which are used to get data from one application or process to another – and “pages” – small chunks of your RAM. As a result, an application can manipulate Linux pipes in a way that allows you to insert its own data into the memory page.
In this way, an attacker can easily change the contents of the file you are trying to open, or even gain complete control over your computer.
How can I secure my device?
As of May 2022, Dirty Pipe has been fixed on both the Google Pixel 6 series and the Samsung Galaxy S22 series, the only affected phones. To make sure your device is safe, simply update your phone software. On Pixel phones, you can do this in the Settings app; in “System” you should find “System Update”. If you see the “Android Security Update” May 2022 or later, your device is safe.
FTC: We use automatic affiliate links to make money. More.
Check 9to5Google on YouTube for more information: