Google Pixel 6, Samsung Galaxy S22, and some other new devices running on Android 12 are affected by a highly severe Linux kernel vulnerability called “Dirty Pipe.” The vulnerability can be exploited by a malicious app to gain system-level access and overwrite data in read-only files on the system. First noticed on the Linux kernel, the bug was reproduced by a security researcher on Pixel 6. Google was also informed about its existence to introduce a system update with a patch.
Security researcher Max Kellermann of German Web development company CM4all spotted the ‘Dirty Pipe’ vulnerability. Shortly after Kellermann publicly disclosed the security loophole this week that has been recorded as CVE-2022-0847, other researchers were able to detail its impact.
As per Kellermann, the issue existed in the Linux kernel since the version 5.8, though it was fixed in the Linux 5.16.11, 5.15.25, and 5.10.102. It is similar to the ‘Dirty COW‘ vulnerability but is easier to exploit, the researcher said.
The ‘Dirty COW’ vulnerability had impacted Linux kernel versions created before 2018. It also impacted users on Android, though Google fixed the flaw by releasing a security patch back in December 2016.
An attacker exploiting the ‘Dirty Pipe’ vulnerability can gain access to overwrite data in read-only files on the Linux system. It could also allow hackers to create unauthorised user accounts, modify scripts, and binaries by gaining backdoor access.
Since Android uses the Linux kernel as core, the vulnerability has a potential to impact smartphone users as well. It is, however, limited in nature as of now — thanks to the fact that most Android releases are not based on the Linux kernel versions that are affected by the flaw.
“Android before version 12 is not affected at all, and some Android 12 devices — but not all — are affected,” Kellermann told Gadgets 360.
The researcher also said that if the device was vulnerable, the bug could be used to gain full root access. This means that it could be used to allow an app to read and manipulate encrypted WhatsApp messages, capture validation SMS messages, impersonate users on arbitrary websites, and even remotely control any banking apps installed on the device to steal money from the user.
Kellermann was able to reproduce the bug on Google Pixel 6 and reported its details to the Android security team in February. Google also merged the bug fix into the Android kernel shortly after it received the report from the researcher.
However, it is unclear whether the bug has been fixed through the March security patch that was released earlier this week.
Some other devices that are running on Android 12 out-of-the-box are also expected to be vulnerable to attacks due to the ‘Dirty Pipe’ issue.
Gadgets 360 has reached out to Google and Samsung for clarity on the vulnerability and will inform readers when the companies respond.
Meanwhile, users are recommended to not install apps from any third-party sources. It is also important to avoid installing any untrusted apps and games, and make sure to have the latest security patches installed on the device.