Critical Root Privilege Escalation Vulnerability Alert In Linux – CVE-2022-0847

We would like to bring your attention to the following critical root privilege escalation vulnerability that we have recently become aware of. This vulnerability affects all major Linux distributions and is considered to be easy to exploit. Proof of concept exploits are publicly available for this vulnerability.

The vulnerability is tracked as CVE-2022-0847 (also known as Dirty Pipe) and allows for privilege escalation. A non-privileged user is able to inject and overwrite data in read-only files, including SUID processes that run as root. This vulnerability has been reported to affect Linux Kernel 5.8 (released August 2020) and later.

The vulnerability was officially fixed in Linux Kernel versions 5.16.11, 5.15.25 and 5.10.102, however, many distributions may also back-port this fix to earlier kernel versions.

Am I Affected?

Running one of the following commands will help identify the current Kernel

• uname -r

• cat /proc/version

• hostnamectl | grep Kernel

Example – uname -r

$ uname -r
5.13.19-3-generic

This host is likely to be vulnerable as the kernel version is 5.13.9 which is newer than 5.8 and older than any of the fixed versions 5.16.11, 5.15.25 and 5.10.102 (assuming now back ports have been applied).

Understanding Linux Version Numbers

Example Linux kernel version is 5.13.19-3-generic, where:

• 5 : Kernel version

• 13 : Major revision

• 19 : Minor revision

• 3 : Patch level or number

• generic : Linux distro/kernel specific additional info

Proof of Concept

Multiple proof of concepts now exists within the public domain which we will continue to monitor and update when new information becomes available.

We are aware of the following proof of concept exploit code; however we would not recommend running these without performing your own due diligence:

This first proof of concept video demonstrates a malicious attacker with local access escalating to root.

In this second video CovertSwarm demonstrates a malicious action with local access removing roots password requirement.

Remediation

At this time, many distributions have yet to releases patches against this issue, this is likely to change within the near future. For latest updates please review your respective vendors update page.

References

• https://access.redhat.com/security/cve/cve-2022-0847

• https://ubuntu.com/security/CVE-2022-0847

• https://dirtypipe.cm4all.com/

• https://twitter.com/phithon_xg/status/1500902906916081666?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1500905126076157953%7Ctwgr%5E%7Ctwcon%5Es2_&ref_url=https%3A%2F%2Fsecurityaffairs.co%2Fwordpress%2F128780%2Fhacking%2Fdirty-pipi-linux-flaw.html

What Is Constant Cyber Attack?

CovertSwarm COO Luke Potter explains why traditional testing no longer reflects how real attackers operate. In this piece, he defines constant cyber attack, a discipline built…

Threat Actors Don’t Wait For Your Annual OT Pen test

Annual OT pen tests provide snapshots. Real attackers operate continuously. This is why your operational technology security strategy needs to evolve.

Humans In The Loop: The Non-Negotiable In Offensive Security

AI and automation have transformed offensive security, but not replaced human ingenuity. Luke Potter explains why real attackers, and real defenders, still need humans in the…