Threat Watch

DirtyCred Linux Kernel Vulnerability Discovered

Researchers at Northwestern University have discovered a vulnerability in the Linux kernel that has existed since the release of kernel version 5.8. Abuse of this vulnerability can lead to full root access for an unprivileged user and revolves around manipulating kernel heap memory reuse mechanisms.

The name DirtyCred (CVE-2021-4154) is a reference to a 2016 Linux Kernel vulnerability called Dirty Cow (CVE-2016-5195), and the more recent Dirty Pipe (CVE-2022-0847) vulnerability based on their similarities.

Originally announced in a talk at the BlackHat conference this year, the researchers had this to say about their DirtyCred discovery:

“First, rather than tying to a specific vulnerability, this exploitation method allows any vulnerabilities with double-free ability to demonstrate dirty-pipe-like ability. Second, while it is like the dirty pipe that could bypass all the kernel protections, our exploitation method could even demonstrate the ability to escape the container actively that dirty pipe is not capable of.”

ANALYST NOTES

Linux distribution maintainers have released patches for this vulnerability, the details of which can be found here:
• Ubuntu: https://ubuntu.com/security/CVE-2021-4154
• RedHat/CentOS: https://access.redhat.com/security/cve/CVE-2021-4154
• Debian: https://security-tracker.debian.org/tracker/CVE-2021-4154

We highly encourage users to ensure that their operating systems are up to date to avoid any potential abuse of DirtyCred.

https://thehackernews.com/2022/08/as-nasty-as-dirty-pipe-8-year-old-linux.html

https://github.com/markakd/dirtycred

https://www.blackhat.com/us-22/briefings/schedule/#cautious-a-new-exploitation-method-no-pipe-but-as-nasty-as-dirty-pipe-27169