21-03-2022 | | By Robin Mitchell
Linux is a very powerful and popular operating system used extensively in the mobile, IoT, and server world. However, a new vulnerability has been discovered, and it is essential that systems are upgraded to patch the serious flaw that allows for arbitrary code execution.
In April 2021, a bug in the Linux kernel was discovered by Max Kellermann, who later published his findings. However, like most discovered bugs, it is only months after its discovery that it is announced to the world, giving security experts time to update systems and introduce fixes. The new bug, called CVE-2022-0847, has now been fixed and is only an issue for systems using Linux kernel versions between 5.8 and has now been fixed in 5.16.11, 5.15.25, and 5.10102.
The discovered bug takes advantage of the operating systems’ poor handling of pipes and page caching, which eventually allows an attacker who does not have administrative privileges to inject arbitrary code into privileged processes.
Without going into too much detail (which can be found here), the new bug results from the Linux Kernel not correctly initialising values for flags used when using pipes that work with page caches. A rouge program can create a pipe, fill the pipe with arbitrary data (which sets a specific system flag), drain the pipe (this step doesn’t reset the previous flag), open a read-only file, and then write arbitrary data into the pipe.
When draining the pipe, the Linux system is supposed to clear flags for that pipe, but the newer versions of Linux do not do this, which leads to flags containing stale values. This means that a writing pipe can be used to write into read-only page cache files that are marked as read-only.
It is hard to determine how many devices are vulnerable to this bug, but devices using Linux 5.8 and over are vulnerable unless they are updated to one of the three versions previously mentioned. Considering that IoT devices use the Linux OS en masse, there may be millions of devices worldwide that are currently vulnerable. This is worsened by the fact that IoT devices can often be challenging to update depending on the environment they are installed in and if the owners of the devices are aware that updates are required.
Of course, this vulnerability doesn’t affect older Linux versions prior to 5.8, but then the disadvantage of older versions of the kernel is that they may be vulnerable to many other bugs that have since been fixed in 5.8 and above. The fact that Linux 5.8 is a relatively new version (since August 2020), it will only be Linux devices made since then that will be vulnerable to the bug assuming that a device cannot auto-update without user intervention.
This is not the first time Linux, and software systems that depend on it, has seen security flaws that leave many millions of devices at risk. This newly discovered bug doesn’t demonstrate that Linux is a flawed system that should be avoided as all operating systems (especially including Windows) contain vulnerabilities. If anything, the speed and secrecy with which this bug was dealt with can show the advantages of open-source software systems.
However, this bug does provide evidence against the use of publicly available software solutions in IoT devices and those handling critical infrastructure. IoT devices found in the home will often be used to control doors, windows, and air conditioning which, if hacked, could allow attackers access to individual personal data and control of a home. This is intrusive and potentially damaging, but a criminal having access to infrastructure that controls power stations and water lines could bring mayhem to millions.
As such, devices used in infrastructure and national defence should consider using platforms designed from scratch with only the absolute necessary services running. It may be easier to design a power grid controller using Linux, but in terms of security, it would be arguably safer to use a DIY closed-source system that the public does not have access to.
Of course, the use of DIY systems introduces security flaws that can be introduced through incompetent programming (remember that Linux is community development with thousands of Linux legends), and information on the closed-source solution could be leaked accidentally. Thus, a vulnerability can be discovered in a closed-source system known by a few hackers, which can be exploited in the future at any time with no warning.