Little more than a month after Samsung announced its Galaxy S22-series flagship, a security researcher found a major vulnerability that puts them, and a handful of other Android phones at risk. Over the past few days, there’s been a lot of questions and concerns about the exploit known as Dirty Pipe. Here’s the rundown on the Dirty Pipe exploit, the phones affected by it, and what you can do to stay safe.
What is “Dirty Pipe?”
Dirty Pipe is the name given to the CVE-2022-0847 vulnerability, present in Linux kernel versions 5.8 and later. The researcher who discovered the issue found it through what was assumed to be a bug that caused access logs on a machine to be intermittently corrupted. A deeper examination of the precise cause indicated the problem could be used as a very serious exploit. The mechanism is complicated, but in essence, the vulnerability allows data to be injected into arbitrary files due to the way the Linux kernel reads, writes, and passes data through what are called “pipes” — hence the name.
Because basically everything in Linux is a “file,” and because Dirty Pipe can selectively modify data in any file (either directly or through how the file is read via cache), that means an attacker could use exploit to modify system files. A bad actor can use the Dirty Pipe exploit to inject arbitrary code to be run by a privileged process. That code can then be used for all sorts of potential applications, like granting root permissions to other software and modifying the system without authorization.
In less technical terms, Dirty Pipe is a vulnerability on Linux that allows a malicious application nearly full system control, and that’s scary.
Should I be worried?
The likelihood of failing victim to Dirty Pipe attack on your Android is low, but there’s still reason for alarm. Since Linux powers more than just servers and your nerdy friend’s laptop, a lot of devices are potentially at risk. Many embedded systems, smart home devices, set-top boxes, and even the majority of the world’s phones run Linux — in the last case, courtesy of Android. That said, most Android device owners don’t need to worry.
To start, Dirty Pipe only affects Android phones running Linux kernel versions 5.8 and later. There isn’t a complete list of phones tied to specific Linux kernel versions, but many Android phones “live” on a specific kernel version their entire life. Kernel 5.8 was released in 2020, but Android phones didn’t start to receive any more recent versions until the release of Android 12. Generic Kernel Images complicates this a little, but consumer devices using the model didn’t debut until Android 12 either, and only the Pixel 6 and 6 Pro use it.
In short, if your phone launched with Android 11 or earlier, you’re safe from Dirty Pipe, and even if you upgraded to Android 12, there isn’t a cause for concern. That means most phones from 2021 and earlier are unaffected. However, some more recent phones are affected.
We know the Pixel 6, Pixel 6 Pro, and Samsung Galaxy S22 series are affected by Dirty Pipe. We have reached out to both Qualcomm and MediaTek for more details about which chipsets may support vulnerable versions of the Android kernel. Android Police has separately confirmed the Xiaomi 12 Pro is running an affected version of the Linux kernel. Odds are that some, if not all, phones with the Snapdragon 8 Gen 1 mobile platform and Android 12 are also vulnerable.
How can I check if my phone is affected?
If you’re concerned about whether your phone could be vulnerable to Dirty Pipe, until things are patched, checking is easy, but not always simple. The kernel version should be listed somewhere in your phone’s Settings app, but different companies put it in a different place (and some even name it differently). All you need to care about for now are the first two digits for the kernel.
Follow the steps below to locate the kernel version for Google Pixel, OnePlus (running Oxygen OS 12 or later), and Samsung Galaxy phones:
- Samsung Galaxy phones
- Tap Settings → About phone → Software information.
- Google Pixel phones
- Select Settings → About phone → Android version.
- OnePlus phones
- Go to Settings → About device → Version.
If you own a phone from a different manufacturer, simply type “kernel” in the Settings’ search bar. Though it still may not appear on all devices, it’s a fast and easy way to access the information in many instances, including for devices not covered above.
Remember, if the first few digits of your phone’s kernel version are lower than 5.8, you are safe.
What is being done to fix the Dirty Pipe exploit?
Right now, there is nothing that you can do to fix the problem. The vulnerability on Android phones needs to be addressed by manufacturers and Google via an OTA update. The issue has already been addressed in the Linux kernel itself (if you’re running a server or using Linux in some other application, update ASAP), but the process to deliver an update on Android is a little more complicated because of how Android works.
Google tells us that it is aware of the vulnerability and has shared information with partners on how to patch the issue. So far, we aren’t aware of a specific patch level that will address the issue or any updates for Android devices that do, but I would expect that updates in the next month or two (in April or May) should likely include a fix. We’ve also reached out to Samsung, Qualcomm, and MediaTek (as chipset vendors that ship kernels to device manufacturers) for a more precise schedule.
There are a few things you can do in the meantime to reduce your potential risk. If your phone is affected:
- Don’t install apps from developers you don’t trust.
- Don’t sideload or manually install apps from outside the Play Store.
- Check for system updates frequently.
Google also tells us that it is exploring ways to use Google Play Protect to offer additional protection against this issue. If you stick to sources like the Play Store for your apps, that will reduce the chances that you might install a malicious app that takes advantage of the Dirty Pipe vulnerability, though it’s not a perfect defense. Apps can still download code that takes advantage of the vulnerability after they are installed.
In the coming months, the impact of Dirty Pipe on Android will be reduced as, as manufacturers roll out updates to address the issue. If you haven’t updated to a new flagship in the past six months, there’s little need to worry. If, however, you just picked up a new Samsung Galaxy S22, hold off from downloading apps outside the Google Play Store, and keep an eye out for OTA updates for your phone.
Read Next
About The Author
