Linux “Dirty Pipe” CVE-2022-0847 Vulnerability Exploitation Explained

On March 7, 2022, Max Kellerman from CM4All disclosed a local privilege escalation vulnerability (CVE-2022-0847) found in Linux kernel version 5.8 and newer [1]. This vulnerability allows attackers to overwrite read-only or immutable files and escalate their privileges in the victim’s system. CVE-2022-0847 vulnerability is named Dirty Pipe and has a CVSS score of 7.8 (high) [2]. 

Validate your security controls against CVE-2022-0847 exploits

What are Pipe, Page, and splice() in Linux?

A pipe is a unidirectional and inter-process communication method in Linux. It allows a process to take input from the previous one using a pipe buffer.

In the example below, the cat command's output is used as the input of the grep command using a pipe.

A page is a 4096-byte block of data. The Linux kernel breaks up the data into pages and operates on pages instead of dealing with the entire file at once. In the pipe mechanism, there is a flag called PIPE_BUF_FLAG_CAN_MERGE that indicates whether merging more data into the pipe buffer is allowed or not. When data is copied to a pipe buffer, more data can be added to the pipe buffer if the copied page is less than 4096 bytes in size.

splice() is a Linux system call that can move data from or to the pipe. This system call transfer data using the pass-by-reference method. Instead of copying a page every time, it gives a reference to the page that is to be transferred to pipe. 

What is Dirty Pipe (CVE-2022-0847) Vulnerability?

Dirty Pipe is a local privilege escalation vulnerability affecting Linux kernel versions 5.8 or newer. The vulnerability is patched in Linux versions 5.16.11, 5.15.25, and 5.10.102. CVSS score of the vulnerability is 7.8(high).  CVE-2022-0847 vulnerability is named Dirty Pipe because of its similarity to Dirty Cow (CVE-2016-5195) vulnerability [3]. 

Here is how Dirty Pipe vulnerability exploitation works:

• Create a pipe

• Copy arbitrary data into the pipe and set the PIPE_BUF_FLAG_CAN_MERGE flag to 1 for all instances.

• Drain the pipe

• Normally, the flag should be reset. However, the Dirty Pipe vulnerability causes the flag to stay as set to 1.

• Transfer a read-only file to the pipe using splice() system call.

• Modify the read-only file.

• Since the splice() system call uses the pass-by-reference method, the attacker can overwrite the file due to the PIPE_BUF_FLAG_CAN_MERGE flag.

Using Dirty Pipe vulnerability, an attacker with unprivileged access to the victim system can elevate its privileges to the root level. 

How to Protect Your Organization From Dirty Pipe Vulnerability Exploits?

To protect against exploitation of CVE-2022-0847 Dirty Pipe vulnerability, we highly advise organizations to identify vulnerable systems on their networks and update them. Since Linux is also used in many mobile devices, the relevant patches should be applied.  

How Picus Helps Simulate Dirty Pipe Vulnerability Exploits?

Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods.

Picus Labs advises you to simulate Dirty Pipe CVE-2022-0847 vulnerability exploitation attack and determine the effectiveness of your security controls against it.

References

[1] “The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation.” [Online]. Available: https://dirtypipe.cm4all.com

[2] “NVD - CVE-2022-0847.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-0847

[3] “NVD - CVE-2016-5195.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2016-5195