Samsung and Google disagree on whether Dirty Pipe vulnerabilities have been fixed in recent connections

Although the updates for the Pixels and Samsung phones include the April 2022 patch levels, there is a lot of confusion regarding a critical and high-quality security vulnerability. Although the Android Security Bulletin for April was released today, it did not mention that it would address the Dirty Pipe vulnerability, which could be used for arbitrary code execution. Samsung, on the other hand, claims the Google bulletin in the April bulletin Do Address Dirty Pipe, and the Galaxy S22 series will no longer be affected.

For those unfamiliar, Google is creating a huge “patch level” for Android, which includes updates for security vulnerabilities each month. Smartphone makers get access in advance to release integrated updates at the beginning of each month – let’s assume they offer monthly updates. (Some manufacturers make these changes to lower premium devices and deliver once every two months or quarterly.) Every month, Google publishes a bulletin that explains which vulnerabilities are addressed in the monthly patch quantities provided. Each month specifies the type of vulnerability, severity, and CVE identifier assigned to the notes, and CVE-2022-0847 is not included in the Google Notes for this month’s April 2022.

ANDROIDPOLICE video of the day

The identifier was linked to a dirty-pipe vulnerability that researchers used to completely root the Google Pixel 6 Pro and Samsung’s Galaxy S22 series using an error in how it handles reading and writing Linux files. Done right, exploitation will allow for increased privilege and arbitrary code execution – a malicious actor can use exploitation to gain full control of a system (and activists can use this to gain root access).

While extensive documentation is currently available on exploitation and its impact on systems running specific versions of the Linux kernel, it may be in use in active “wilderness” by malicious actors, although no one is currently likely to use it to target Android. Phones. The vulnerability requires the most recent version of the Linux kernel, and Android phones tend to “live” on the same version for the rest of their lives. With the exception of Pixel 6 and its generic kernel image support, only phones with Snapdragon 8 General 1 launched on Android 12 or later should be affected. These include the Galaxy S22 Series, Xiaomi 12 Pro, OnePlus 10 Pro and Google Tensor powered Pixel 6 and 6 Pro.

In the April 2022 Android Security Bulletin, there were no fixes for the CVE related to the Dirty Pipe vulnerability or they were not mentioned in the individual and device-specific pixel update bulletin. Michelle Rahman of Esper.io has further confirmed that the kernel build date and tags for the current patch on the Pixel 6 Pro remain the same and are unlikely to include fixes for the Dirty Pipe. However, Samsung’s patch notes and documentation for the April update of the Galaxy S22 series clearly state it Is Fixed there. Even more bizarrely, Samsung’s documentation explicitly states that Google fixed it At its end With the April 2022 update, it no longer complies with Google’s own documentation.


In a nutshell: Samsung claims that Google has fixed it, skips it, and says Google has not done it.

We have been in touch with Google to confirm whether the Dirty Pipe vulnerability has been resolved at the latest patch level and whether Pixel 6 is still affected, but company representatives have not responded to our (repeated) inquiries. We have approached Samsung for more information about the S22 series, and the company is exploring this matter.

Samsung may have stopped this solution early on in some way, but the company’s documentation has been amended by the April 2022 Android Security Bulletin. It could be Google Done Fix issue with some devices / kernels, others may not, or something else may happen.

Although only a few very recent (and relatively high-end) phones were affected, many customers hoped that it would be fixed on board with this month’s update, following its public release on March 7, considering the severity of the vulnerability. But the situation is still gloomy, and even though it affects customer security, Google has done little to destroy it.

Update: 2022/04/05 09:47 EST by RYNE HAGER

Samsung claims that Google has stuck to it, and Google’s page disagrees

As found by SamMobile, Samsung says Is The latest update adds vulnerability to the Galaxy S22 series. The CVE for Dirty Pipe is on Samsung’s security updates page. Unusually, Samsung openly claims that the fix is ​​part of Google’s April 2022 Android Security Bulletin.

For more information, we contacted Google (again), but the company has not yet responded to our inquiries, although small communications can easily resolve this.

Our coverage above has been updated.


Emojihero-1

The Emoji Subcommittee has challenged the Internet to come up with something never seen before

Read on


About the author

Leave a Comment