On March 7, 2022, Max Kellerman from CM4All disclosed a local privilege escalation vulnerability (CVE-2022-0847) found in Linux kernel version 5.8 and newer [1]. This vulnerability allows attackers to overwrite read-only or immutable files and escalate their privileges in the victim’s system. CVE-2022-0847 vulnerability is named Dirty Pipe and has a CVSS score of 7.8 (high) [2].
Validate your security controls against CVE-2022-0847 exploits
A pipe is a unidirectional and inter-process communication method in Linux. It allows a process to take input from the previous one using a pipe buffer.
In the example below, the cat command's output is used as the input of the grep command using a pipe.
$ cat test.txt |
A page is a 4096-byte block of data. The Linux kernel breaks up the data into pages and operates on pages instead of dealing with the entire file at once. In the pipe mechanism, there is a flag called PIPE_BUF_FLAG_CAN_MERGE that indicates whether merging more data into the pipe buffer is allowed or not. When data is copied to a pipe buffer, more data can be added to the pipe buffer if the copied page is less than 4096 bytes in size.
splice() is a Linux system call that can move data from or to the pipe. This system call transfer data using the pass-by-reference method. Instead of copying a page every time, it gives a reference to the page that is to be transferred to pipe.
Dirty Pipe is a local privilege escalation vulnerability affecting Linux kernel versions 5.8 or newer. The vulnerability is patched in Linux versions 5.16.11, 5.15.25, and 5.10.102. CVSS score of the vulnerability is 7.8(high). CVE-2022-0847 vulnerability is named Dirty Pipe because of its similarity to Dirty Cow (CVE-2016-5195) vulnerability [3].
Here is how Dirty Pipe vulnerability exploitation works:
Using Dirty Pipe vulnerability, an attacker with unprivileged access to the victim system can elevate its privileges to the root level.
To protect against exploitation of CVE-2022-0847 Dirty Pipe vulnerability, we highly advise organizations to identify vulnerable systems on their networks and update them. Since Linux is also used in many mobile devices, the relevant patches should be applied.
Picus Continuous Security Validation Platform tests your security controls against vulnerability exploitation attacks and suggests related prevention methods.
Picus Labs advises you to simulate Dirty Pipe CVE-2022-0847 vulnerability exploitation attack and determine the effectiveness of your security controls against it.
Threat Name |
Linux Kernel Dirty Pipe Elevation of Privilege Vulnerability |
References
[1] “The Dirty Pipe Vulnerability — The Dirty Pipe Vulnerability documentation.” [Online]. Available: https://dirtypipe.cm4all.com
[2] “NVD - CVE-2022-0847.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-0847
[3] “NVD - CVE-2016-5195.” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2016-5195