Expert Reacted On ‘Dirty Pipe’ Linux Vulnerability

By   ISBuzz Team
Writer , Information Security Buzz | Mar 09, 2022 04:17 am PST

It has been reported that a cybersecurity researcher released the details of a Linux vulnerability that allows an attacker to overwrite data in arbitrary read-only files. The vulnerability — CVE-2022-0847 — was discovered by Max Kellermann in April 2021, but it took another few months for him to figure out what was actually happening. Kellermann explained that the vulnerability affects Linux Kernel 5.8 and later versions but was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

Notify of
1 Expert Comment
Oldest Most Voted
Inline Feedbacks
View all comments
Tim Mackey
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
March 9, 2022 12:17 pm

The Dirty Pipe vulnerability illustrates an inherent risk with all software development – code changes. In this case, identification of the core issue took several months. Not because there were delays in resolving the issue, but rather that for the impacted user, other issues held higher priority. Fixing a bug with intermittent occurrence would be treated in much the same manner within any development shop.

The root cause of the Dirty Pipe vulnerability results from a practice known as “refactoring.” Refactoring in software development occurs quite often and represents how the software implementation should change to reflect new requirements. If the refactoring process doesn’t account for why the original code behaved the way it did, then it’s entirely possible that the new implementation will have a bug – potentially one that might be latent for years. Solving for this requires discipline during the design phase for all code wherein behavioural assumptions are fully documented and then consulted when the code changes. After all, it’s unreasonable to expect any developer to remember why they implement code a specific way years after having done so.

Last edited 1 year ago by Tim Mackey

Recent Posts

Would love your thoughts, please comment.x