- Three academics from Northwestern University, which name themselves “DirtyCred”, have found an 8-year-old bug in the Linux kernel.
- The vulnerability allows attackers to swap their unprivileged credentials with the privileged ones, effectively making them an administrator.
- The vulnerability allows abusing the heap memory reuse mechanism to achieve the goal of having maximum-level privileges.
A group of three academics from Northwestern University named DirtyCred has found a new vulnerability that has been existing in the Linux kernel for eight years. The vulnerability can be tracked as CVE-2022-2588 and has a severity score of 6.7.
Swapping the credentials
The vulnerability allows attackers to escalate their user privileges to the administrator level. The vulnerability makes it possible by swapping the unprivileged credentials with the privileged ones in the kernel. This process is done by heap memory reuse mechanism abuse. The DirtyCred team has a very detailed explanation of the process, which can be found here.
The main steps to exploit the vulnerability are:
- Free an unprivileged credential with the vulnerability
- Allocate privileged credentials in the freed memory slot
- Operate as a privileged user
DirtyCred also states that this vulnerability is more dangerous than Dirty Pipe, which affects the Linux kernel versions starting from 5.8. Dirty Pipe exploitation was possible but it had many requirements and it was not able to escape from a container. However, DirtyCred’s vulnerability is a generic one and it can escape from a container.
Security researchers recommend setting up isolation between privileged and unprivileged credentials by utilizing virtual memory.