The flaw is present in Linux Kernels 5.8 and later (including Android) and effects most major distributions of Linux. The flaw, tracked as CVE-2022-0847, is like one that was patched in 2016 (CVE-2015-5195). The researcher that found the exposed flaw is Max Kellermann. Kellerman states that the vulnerability in question is easy to exploit and represents a significant danger to production Linux systems where SSH access is often how things are managed (especially web servers).

As part of the disclosure Kellerman released proof of concept code to validate his finding. With it he was able to inject his own data into normally read-only and protected files (immutable files). His proof-of-concept lead to the creation of a simple script (from another security researcher BLASTY) that allows a user to drop a root shell on a targeted device then execute a script. It does this by patching the /usr/bin/su command (using the flaw), this in turn drops the shell at /tmp/sh. Once the command it done, the user has root, and the security game is over.

This script and other exploits are publicly available and are sure to be in the hands of attacker by now. The usual suspects from the Linux community are aware (as are the Linux Kernel and Android security teams) and is reportedly fixed in Linux Kernels 5.16.11, 5.15.25, and 5.10.102. This does not mean that we are high and dry with this one though. Due to the way many service providers (web hosting services) and other heavy Linux use organizations operate, it is likely that there are many, many servers running older and vulnerable kernel versions. On top of that, as we mentioned, many of these are likely to have outside SSH access available.

We have said it before, and it bears repeating, there is no such thing as a secure OS. Windows, MacOS, Linux, all have flaws and vulnerabilities that attackers can exploit. Organizations need to treat each flavor in the same manner, assume there is a chance of compromise and ensure they are being patched often and early.

Happy patching.