Dirty Pipe: Linux Kernel Vulnerability Could Lead to Root Privileges – CVE-2022-0847

Background

In April 2021, CVE-2022-0847 was discovered by security researcher Max Kellermann; it took another few months for him to figure out what was happening. The flaw has already been patched in the Linux kernel and the Android kernel. Affected Linux distributions are in the process of pushing out security updates with the patch.

Due to the similarities of the Dirty Cow flaw, CVE-2016-5195; has been named Dirty Pipe.

Analysis

CVE-2022-0847

The Linux Kernel Security Team patched a local privilege escalation vulnerability in the Linux Kernel that could allow a threat actor with local access to an affected system to escalate user privileges to root.

The most likely attack scenario is from an internal threat where a malicious user could escalate from user to full root privileges. An external attack scenario would be from an attacker who already has local authenticated access to the vulnerable system either from another vulnerability or password spraying style attack. Once local authenticated access is achieved, the external attacker could then escalate to full root privileges leveraging this vulnerability.

Note: This is not a remotely exploitable vulnerability, a threat actor must have prior access to exploit the vulnerability.

Solutions and Recommendations

Due to the widespread nature of CVE-2022-0847, Arctic Wolf recommends patching systems in accordance with the Linux distribution vendor. Major Linux distributions have published security advisories detailing the impacted versions and remediation steps.

Prioritize patching systems that are external facing or are considered high value assets.

References

• Dirty Pipe Vulnerability Technical Blog
• Dirty Cow Technical Blog
• Red Hat Vendor Advisory
• Ubuntu Vendor Advisory
• Debian Vendor Advisory
• SUSE Vendor Advisory

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.