Double Your Threat Blocking in 90 Days
Huseyin Can YUCEEL & Furkan Göksel | March 24, 2022
The Top 10 MITRE ATT&CK Techniques Used by Adversaries
On March 7, 2022, Max Kellerman from CM4All disclosed a local privilege escalation vulnerability (CVE-2022-0847) found in Linux kernel version 5.8 and newer . This vulnerability allows attackers to overwrite read-only or immutable files and escalate their privileges in the victim’s system. CVE-2022-0847 vulnerability is named Dirty Pipe and has a CVSS score of 7.8 (high) .
A pipe is a unidirectional and inter-process communication method in Linux. It allows a process to take input from the previous one using a pipe buffer.
In the example below, the cat command's output is used as the input of the grep command using a pipe.
$ cat test.txt
A page is a 4096-byte block of data. The Linux kernel breaks up the data into pages and operates on pages instead of dealing with the entire file at once. In the pipe mechanism, there is a flag called PIPE_BUF_FLAG_CAN_MERGE that indicates whether merging more data into the pipe buffer is allowed or not. When data is copied to a pipe buffer, more data can be added to the pipe buffer if the copied page is less than 4096 bytes in size.
splice() is a Linux system call that can move data from or to the pipe. This system call transfer data using the pass-by-reference method. Instead of copying a page every time, it gives a reference to the page that is to be transferred to pipe.
Dirty Pipe is a local privilege escalation vulnerability affecting Linux kernel versions 5.8 or newer. The vulnerability is patched in Linux versions 5.16.11, 5.15.25, and 5.10.102. CVSS score of the vulnerability is 7.8(high). CVE-2022-0847 vulnerability is named Dirty Pipe because of its similarity to Dirty Cow (CVE-2016-5195) vulnerability .
Here is how Dirty Pipe vulnerability exploitation works:
Using Dirty Pipe vulnerability, an attacker with unprivileged access to the victim system can elevate its privileges to the root level.
To protect against exploitation of CVE-2022-0847 Dirty Pipe vulnerability, we highly advise organizations to identify vulnerable systems on their networks and update them. Since Linux is also used in many mobile devices, the relevant patches should be applied.
Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods.
1. Let's look at Dirty Pipe vulnerability exploitation attack simulation in Picus Threat Library. To see the Threat Library, click on Threats.
2. Picus Threat Library includes five main threat categories. Dirty Pipe attack simulation is classified under Vulnerability Exploitation category. Click on Vulnerability Exploitation to list the attacks.
3. The latest vulnerability exploitation attacks are listed here. Let's look into Dirty Pipe vulnerability attack simulation by clicking highlighted area. It will open threat detail for the simulation.
4. Under Overview tab, the simulation details are available. Let's click Assess to go to assessment screen.
5. Under Assess tab, you can run attack simulations any time you want. Click on Assess to run simulation for Dirty Pipe vulnerability exploitation.
6. Assessment is finished and the result is "Not Blocked" as indicated by the red icon. But don't worry. Picus also gives actionable prevention suggestions.
Let's click Prevention tab to see these how to prevent simulated attack.
7. With few clicks, we quickly simulated Dirty Pipe vulnerability exploitation attack and obtained actionable prevention suggestions.
Click here to request your free Picus demo to test your security control against cyber threats.
Picus Labs advises you to simulate Dirty Pipe CVE-2022-0847 vulnerability exploitation attack and determine the effectiveness of your security controls against it.
Linux Kernel Dirty Pipe Elevation of Privilege Vulnerability
 “The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation.” [Online]. Available: https://dirtypipe.cm4all.com
 “NVD - CVE-2022-0847.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-0847
 “NVD - CVE-2016-5195.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2016-5195