The name Dirty Pipe is an homage to the Dirty Cow vulnerability, discovered in 2016, and a pipeline, which is a mechanism within Linux that allows processes to share data. Tracked as CVE-2022-0847, Dirty Pipe was discovered when a researcher was troubleshooting corrupted files that continued to appear on a customer's Linux server. It took months of analysis, but eventually, Max Kellermann (the researcher in question, from Ionos) discovered those files were due to a bug in the Linux kernel and figured out a way to weaponize the vulnerability. Once weaponized on a Linux machine, anyone with an account could then add an SSH key to the root user's account such that any untrusted user could remotely access the server with full root privileges.

The same vulnerability also makes it possible for attackers to hijack an SUID binary to create a root shell, which allows untrusted users to overwrite data, even in read-only files. Other actions that can be taken on a vulnerable machine include, creating a cron job that serves as a backdoor and modifying a script or binary used by a privileged service.

Find out more about Dirty Pipe in this Red Hat security bulletin.