All Your Pipeline Are Belong To Nobody
Several pipelines have been in the news lately, but this one is a wee bit different as it refers to the pipelines in Linux used to pass data from one process to another. A very dedicated tech spent several months tracking down the root cause of a customers trouble with repeatedly corrupted files and discovered a bug in the Linux kernel was responsible for the trouble. A bit more research determined that this bug could be leveraged in a variety of spectacularly nasty ways by someone interested in causing havoc, and gave it the name Dirty Pipe.
The bug could be leveraged to allow the built in nobody account which has the lowest levels of permissions possible, to add an SSH key to the root user’s account and then use that key to start a new SSH session with full root privileges. At that point an attacker would have full control over the machine. Unfortunately, that is just the start of the problems as other researchers found a variety of other possibly attacks once the bug was made public.
Using this bug the nobody account can overwrite protected read only system files, create new users, creating cron jobs to run in the background, modifying the scripts that services use and a variety of other nasty things which you really don’t want to think about. The good news is the Dirty Pipe bug has been patched in kernel versions 5.16.11, 5.15.25, and 5.10.102, so check your systems and start updating any that have fallen behind.
Linux has yet another high-severity vulnerability that makes it easy for untrusted users to execute code capable of carrying out a host of malicious actions, including installing backdoors, creating unauthorized user accounts, and modifying scripts or binaries used by privileged services or apps.