Summary
CVE-2022-0847 was disclosed on March 7th and since has been named “Dirty Pipe”. This linux
kernel vulnerability is caused by improperly handling flags on Linux “pipes”. The vulnerability makes it possible for attackers with existing access to a system to override the contents of files they have read-only access to. This allows authenticated attackers to easily elevate their privileges by modifying the contents of sensitive files such as sudoers or the passwd files. Additionally, this vulnerability can attackers by modifying binaries, files, or memory being actively used by privileged processes.
Dirty Pipe is similar in nature to the infamous Dirty Cow (CVE-2016-5195) vulnerability that also
breaks in private read-only memory mappings. Dirty Cow has been widely exploited by threat
actors with a wide variety of motives. Unfortunately, the newly disclosed “Dirty Pipe” vulnerability is more trivial to exploit, and several Proof of Concept (PoC) exploits have been published publicly.
Additionally, researchers have shown that attackers can use Dirty Pipe to modify read-only files on“host” systems by running the exploits on containers being run by the host system. This makes it possible for attackers with access to a container to escape from the container and compromise
the host system, potentially giving them access to other sensitive applications or systems running
on that host machine.
The CFC expects threat actors to begin leveraging public exploits for this vulnerability in the
coming days, and to begin weaponizing the vulnerability to target container hosts imminently.
Organizations running impacted Linux systems should prioritize patching this vulnerability as soon as possible as there are no available workarounds.
Affected Operating Systems
All Linux kernels after 5.8 (inclusive) which was released In August 2020 are susceptible to this
vulnerability. While this kernel release is recent, some of the latest Linux server distributions (such as Red Hat Server 8 and Ubuntu Server 20.04) have already adopted it and thus are impacted.
Organizations should review security updates for their respective distributions and apply the
corresponding updates once available. Below are direct links to advisories for popular distributions:
• CVE-2022-0847 status for Red Hat based Linux systems
• CVE-2022-0847 status for Debian based Linux systems
• CVE-2022-0847 status for Ubuntu based Linux systems
Technical Details
The vulnerability utilizes pipes, a tool for unidirectional inter-process communication. They can be used for pushing data or pulling data between processes or commands. This is implemented by the Linux kernel via a ring of struct pipe buffer, which is referred to as a page. The first write to a pipe allocates a page, which is typically 4kB. If the recent write does not fill the page completely
the following write may append to the existing page, rather than allocating a new one.
The exploit takes this a step further and instead splices data from a file into the pipe. The kernel
then loads the data into the page cache. It will then create a struct pipe_buffer, that points inside
the page cache.
To overwrite the page cache there are a few constraints:
• The attacker must have read permissions
• The offset must not be on a page boundary
• The write cannot cross a page boundary
• The file cannot be resized
If the following constraints are met the exploit can be completed by:
• Creating a pipe
• Filling the pipe with arbitrary data (setting the PIPE_BUF_FLAG_CAN_MERG flag in all the
ring entries).
• Drain the pipe
• Splice data from the target file (opened with O_RDONLY) into the pipe from just before the
target offset.
• Write the arbitrary date into the date; this data will then overwrite the cached file page,
rather than creating a new struct pipe_buffer since the merge flag is set.
It is important to note that this not only works without write permissions, but also on immutable files, read only btrfs snapshots, and read-only mounts.
The full technical details are linked in the reference section.
Solution
This vulnerability has been patched in Linux kernels 5.16.11, 5.15.25, and 5.10.102. Updating impacted systems to the noted kernels as soon as possible is strongly recommended.
Temporary Workarounds and Mitigations
Linux Distributions such as Read Hat and Ubuntu are currently working on in triage and patches for this vulnerability. In the case of Debian for example, there are already available fixes.
What the Cyber Fusion Center is doing
The Cyber Fusion Center is working to patch internal systems which may be impacted. We’re also
conducting vulnerability scanning to identify impacted hosts for clients of the CFC’s Vulnerability
Scanning service. The CFC will be able to leverage monitored Endpoint Detection and Response
(EDR) systems to identify potential attempts to exploit this vulnerability for privilege escalation.
Sources
• https://dirtypipe.cm4all.com/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
• https://access.redhat.com/security/cve/cve-2022-0847
• https://www.debian.org/security/2022/dsa-5092
• https://twitter.com/yuvalavra/status/1500956953186607106
Kudelski Security Research 