Linux Dirty Pipe

Chris Stewart 9 March 202217 March 2022

Updated March 17th 2022

Risk: Critical

CVE: CVE-2022-0847

Affected Version: Linux Kernel 5.8 and later versions upto 5.10.101/5.15.24/5.16.10

Fix Version: 5.16.11, 5.15.25 and 5.10.102

Details

A Linux vulnerability that affects all kernels since 5.8, including Android, has been disclosed by security researcher Max Kellerman. Known as Dirty Pipe, it allows the overwriting of data in read-only files and can lead to privilege escalation via the injection of code into root processes. CVE-2022-0847 “Dirty Pipe” is very similar to “Dirty COW” vulnerability that target the copy on write (COW) mechanism in linux Kernel memory. Basically this flaw turns read-only mapping into a writable area and can be combine with additional exploits to pawn the system.

Action

We suggest the latest Kernel patches are applied ASAP to remediate this vulernability. Its also worth noting the vendors and appliance providers maybe prone to this vulnerablity which highlights the need to keep accurate asset inventory to understand the full scope of the issue.

Remediation Steps

If you don’t have a patch yet, you can mitigate the problem in the RHEL family with the commands:

# echo 0 > /proc/sys/user/max_user_namespaces

# sudo sysctl –system

And, in the Debian/Ubuntu family with the command:

$ sudo sysctl kernel.unprivileged_userns_clone=0

The Dirty Pipe Vulnerability : Allows Write Access with Root Privileges (affects all Linux machines running kernel version since 5.8) : https://t.co/lsQhB0Zifs

PoC : https://t.co/3zVlNRYpHW
— Binni Shah (@binitamshah) March 8, 2022

Reference

https://vuldb.com/?id.194333
https://dirtypipe.cm4all.com/
https://github.com/antx-code/CVE-2022-0847
https://access.redhat.com/security/cve/cve-2022-0847
https://ubuntu.com/security/CVE-2022-0847
https://www.suse.com/security/cve/CVE-2022-0847.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847