Google's latest Android patches haven't fixed critical Dirty Pipe vulnerability
Although updates for Pixels and Samsung's phones have been rolling out with the April 2022 patch levels included, one critical and high-profile exploit hasn't been addressed yet. Although the Android Security Bulletin for the month has been published today, it does not state that it addresses the Dirty Pipe vulnerability, which can be used for arbitrary code execution.
For the uninitiated, every month Google releases a large "patch level" for Android that includes fixes for security flaws. Smartphone manufacturers have early access to it, allowing them to roll out updates in a coordinated manner at the start of each month — providing they deliver monthly updates. (For less expensive devices, some manufacturers bundle these updates and distribute them every two months or once a quarter.) Google issues a monthly bulletin that describes which vulnerabilities have been fixed across the various monthly patch tiers. Each month's notes specify the type of vulnerability, severity, and CVE identifier assigned to it, but CVE-2022-0847 is absent from this month's notes for April 2022.
Researchers have used the Dirty Pipe vulnerability to fully root a Google Pixel 6 Pro and Samsung's Galaxy S22 series by exploiting a weakness in how Linux handles reading and writing to files. When done correctly, the vulnerability can result in privilege escalation and arbitrary code execution, which are ominous terms that effectively suggest a bad actor can use the attack to take complete control of a machine (and enthusiasts might use it to get root access).Because of the detailed documentation on the attack and its impact on devices running specific versions of the Linux kernel, it's possible that it's being used "in the wild" by malicious actors, albeit it's unlikely that it's being used to target Android phones right now. The flaw requires a current version of the Linux kernel, and Android phones typically "live" on a single version for the majority of their lifespan. Only phones with a Snapdragon 8 Gen 1 that launched on Android 12 or later should be affected, with the exception of the Pixel 6 and its Generic Kernel Image support. The Galaxy S22 series, Xiaomi 12 Pro, OnePlus 10 Pro, and Google's Tensor-powered Pixel 6 and 6 Pro are among the devices in this category.Fixes for the CVE that corresponds to the Dirty Pipe vulnerability were not included in this month's patch levels, nor were they mentioned in the separate and device-specific Pixel Update Bulletin, as far as we can tell from examining the April 2022 Android Security Bulletin (not that it takes much more than a Ctrl+F). The kernel build date and tags for the latest patch for the Pixel 6 Pro, according to Esper.io's Mishaal Rahman, imply that it has remained untouched and is unlikely to provide patches for Dirty Pipe.We contacted Google to see if the Dirty Pipe vulnerability has been addressed in the newest patch version, and if the Pixel 6 is still vulnerable, but no one from the business has answered.It's possible (though doubtful) that some device upgrades, released separately from Google's Android Security Bulletin modifications, still contain the remedy. We've also contacted out to Samsung for more information on the S22 series, and the firm has agreed to look into the matter. If Google didn't fix the problem in the current patch level, Samsung isn't likely to do so.Despite the fact that just a few very recent (and quite high-end) phones are susceptible, many consumers were anticipating that the vulnerability would be fixed with this month's update, following its public exposure on March 7th. However, it appears that we will have to wait until April — or later.
( Details and picture courtesy from Source, the content is auto-generated from RSS feed.)
Join our official telegram channel for free latest updates and follow us on Google News here.
