What is Dirty Pipe (CVE-2022-0847)?
CVE-2022-0847, known as Dirty Pipe, is a local privilege escalation vulnerability that impacts the piping mechanism in Linux operating systems. Piping is a core Linux function that facilitates unidirectional inter-process communication where the output of one command or process can be passed as input to another. A fault in the piping function could be exploited to overwrite read-only files, which leads to conditions suitable for privilege escalation.
Within Linux the smallest unit of memory management is a “page”, which is 4kb (4096b) in size. When a process requires file I/O the kernel will first copy chunks of the file into a page cache, which can then be copied into user space. The flaw was present due to pipe buffer attributes introduced in kernel 5.8 that enabled pipe buffers to be merged with page caches (PIPE_BUF_FLAG_CAN_MERGE). Due to a lack of proper initialization in the “copy_page_to_iter_pipe” and “push_pipe” functions this resulted in a condition where the page cache could contain read-only data that could be manipulated by a pipe. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
How bad is this?
CVE | CVSSv3 Score |
CVE-2022-0847 | 7.8 |
Active exploitation today: Exploited in the wild, proof of concept code publicly available.
Severity: Critical
- Local privilege escalation
- Results in trivial ‘root’ access on vulnerable systems
- Likely to be chained with other vulnerabilities (Log4Shell), malware, and rootkits
Who is affected by this?
- Endpoints running Linux kernel 5.8 or higher
How are they exploited?
Exploitation requires local access to a vulnerable system, which minimizes the risk of unauthorized access by remote attackers. Successful exploitation itself has a few limitations:
- The attacker must have read permissions
- The offset must not be on a page boundary or zero bytes would be spliced into the pipe
- The write cannot cross a page boundary, which would create a new pipe buffer that lacked the required flags
- The file cannot be resized
To exploit this vulnerability, an attacker would need to:
- Create a pipe
- Fill the pipe with arbitrary data
- Drain the pipe
- Splice data from the target file into the pipe from just before the target offset
- Write arbitrary data into the pipe, which overwrites the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set
Am I at Risk?
All Linux kernel versions 5.8 and higher are vulnerable
To determine if you’re at risk, execute the following command:
$ uname -r
5.16.11-76051611-generic
The below table provides detailed information on fixed versions.
Linux Kervel Version | Fixed Linux Kernel Version |
5.8 | 5.10.102 |
5.15 | 5.15.25 |
5.16 | 5.16.11 |
How do I protect myself?
It is recommended that the Linux kernel be updated to eliminate the risk of Dirty Pipe.
Additional Resources:
- RadHat: https://access.redhat.com/security/cve/cve-2022-0847
- Ubuntu: https://ubuntu.com/security/CVE-2022-0847
- Debian: https://security-tracker.debian.org/tracker/CVE-2022-0847
- https://dirtypipe.cm4all.com/
To stay up to date on recent security vulnerabilities subscribe to our blog!