NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
More Menu Less Menu
Schedule a Demo
NopSec_Resource_JustInTime_Generic_1
Just in Time

Just in Time Bulletin: CVE-2022-0847 Dirty Pipe

Mar 21, 2022

What is Dirty Pipe (CVE-2022-0847)?

CVE-2022-0847, known as Dirty Pipe, is a local privilege escalation vulnerability that impacts the piping mechanism in Linux operating systems. Piping is a core Linux function that facilitates unidirectional inter-process communication where the output of one command or process can be passed as input to another. A fault in the piping function could be exploited to overwrite read-only files, which leads to conditions suitable for privilege escalation. 

Within Linux the smallest unit of memory management is a “page”, which is 4kb (4096b)  in size. When a process requires file I/O the kernel will first copy chunks of the file into a page cache, which can then be copied into user space. The flaw was present due to pipe buffer attributes introduced in kernel 5.8 that enabled pipe buffers to be merged with page caches (PIPE_BUF_FLAG_CAN_MERGE). Due to a lack of proper initialization in the “copy_page_to_iter_pipe” and “push_pipe” functions this resulted in a condition where the page cache could contain read-only data that could be manipulated by a pipe. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

How bad is this? 

CVE CVSSv3 Score
CVE-2022-0847 7.8


Active exploitation today: Exploited in the wild, proof of concept code publicly available.

Severity: Critical

  • Local privilege escalation
  • Results in trivial ‘root’ access on vulnerable systems
  • Likely to be chained with other vulnerabilities (Log4Shell), malware, and rootkits

Who is affected by this? 

  • Endpoints running Linux kernel 5.8 or higher

How are they exploited? 

Exploitation requires local access to a vulnerable system, which minimizes the risk of unauthorized access by remote attackers. Successful exploitation itself has a few limitations:

  1. The attacker must have read permissions
  2. The offset must not be on a page boundary or zero bytes would be spliced into the pipe 
  3. The write cannot cross a page boundary, which would create a new pipe buffer that lacked the required flags
  4. The file cannot be resized 

To exploit this vulnerability, an attacker would need to:

  1. Create a pipe
  2. Fill the pipe with arbitrary data 
  3. Drain the pipe 
  4. Splice data from the target file into the pipe from just before the target offset
  5. Write arbitrary data into the pipe, which overwrites the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set

Am I at Risk? 

All Linux kernel versions 5.8 and higher are vulnerable

To determine if you’re at risk, execute the following command:

$ uname -r
5.16.11-76051611-generic

The below table provides detailed information on fixed versions.

Linux Kervel Version Fixed Linux Kernel Version
5.8 5.10.102
5.15 5.15.25
5.16 5.16.11

 

How do I protect myself? 

It is recommended that the Linux kernel be updated to eliminate the risk of Dirty Pipe.

Additional Resources: 

To stay up to date on recent security vulnerabilities subscribe to our blog!

Resources
Read more from NopSec's cyber threat exposure management and cybersecurity experts.
Read All