CVE-2022-0847 aka Dirty Pipe vulnerability in Linux kernel

14 Mar 2022

minute read

Dirty Pipe technical details
Dirty Pipe mitigations
IOCs (MD5 hashes of CVE-2022-0847 exploits)

Authors

AMR

Last week, security researcher Max Kellermann discovered a high severity vulnerability in the Linux kernel, which was assigned the designation CVE-2022-0847. It affects the Linux kernels from 5.8 through any version before 5.16.11, 5.15.25 and 5.10.102, and can be used for local privilege escalation. The vulnerability resides in the pipe tool, which is used for unidirectional communication between processes, so the researcher called it “Dirty Pipe”. Although the flaw is fixed in the latest Linux kernel versions, and, according to our data, there is no mass exploitation of this vulnerability at the moment, a detailed description and a working POC are available online, which increases the risk of this vulnerability being exploited by attackers.

Kaspersky products protect against attacks leveraging the Dirty Pipe vulnerability. The detection verdicts are:

HEUR:Exploit.Linux.CVE-2022-0847.a
HEUR:Exploit.Linux.CVE-2022-0847.b
HEUR:Exploit.Linux.CVE-2022-0847.с
HEUR:Exploit.Linux.CVE-2022-0847.gen

Dirty Pipe technical details

An unprivileged local user could use the Dirty Pipe flaw to write to pages in the page cache backed by read-only files and as such, escalate their privileges on the system. This vulnerability happens due to usage of partially uninitialized memory of the pipe buffer structure during its construction. A lack of zero initialization of the new structure’s member results in a stale value of flags, which can be abused by an attacker to gain write access to pages in the cache even if they originally were marked with a read-only attribute.

There are plenty of ways for attackers to gain the root privileges using this vulnerability, such as unauthorized creation of new cron jobs, SUID binary hijacking, /etc/passwd modification, and so on.

A working version of the Dirty Pipe exploit is already available on various security-related sites and repositories, so it can be used by attackers ITW.

Dirty Pipe mitigations

To ensure that your corporate infrastructure is protected against this and similar threats:

Apply all relevant security updates once they are available. To patch CVE-2022-0847, update your Linux systems to versions 5.16.11, 5.15.25 and 5.10.102 or newer.
Use a security solution that provides patch management and endpoint protection, such as Kaspersky Endpoint Security for Linux.
Use the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.

IOCs (MD5 hashes of CVE-2022-0847 exploits)

ebc8f0556e031a0b1180cfdfe6bf6e03
c3662a101db6bd9edec35767c7b85741

Authors

AMR

CVE-2022-0847 aka Dirty Pipe vulnerability in Linux kernel

Latest Posts

Latest Webinars

Reports

While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. We created offline backups of the devices, inspected them and discovered traces of compromise.

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Kaspersky analysis of the CloudWizard APT framework used in a campaign in the region of the Russo-Ukrainian conflict.

For more than five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

CVE-2022-0847 aka Dirty Pipe vulnerability in Linux kernel

Dirty Pipe technical details

Dirty Pipe mitigations

IOCs (MD5 hashes of CVE-2022-0847 exploits)

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

IT threat evolution in Q1 2023. Non-mobile statistics

Kaspersky Security Bulletin 2022. Statistics

IT threat evolution in Q3 2022. Non-mobile statistics

IT threat evolution in Q2 2022. Non-mobile statistics

CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction

QBot banker delivered through business correspondence

Not just an infostealer: Gopuram backdoor deployed through 3CX supply chain attack

CVE-2022-41040 and CVE-2022-41082 – zero-days in MS Exchange

Ongoing exploitation of CVE-2022-41352 (Zimbra 0-day)

Two more malicious Python packages in the PyPI

Latest Posts

How cybercrime is impacting SMBs in 2023

LockBit Green and phishing that targets organizations

Dissecting TriangleDB, a Triangulation spyware implant

A bowl full of security problems: Examining the vulnerabilities of smart pet feeders

Latest Webinars

Unveiling the Darknet’s Malware-as-a-Service model

Securing the Fort: How to master cyber incident response in a large company

Cyberthreats to modern automotive industry

Applying ATT&CK to analyze ransomware campaigns

Reports

Operation Triangulation: iOS devices targeted with previously unknown malware

Meet the GoldenJackal APT group. Don’t expect any howls

CloudWizard APT: the bad magic story goes on

APT trends report Q1 2023

Subscribe to our weekly e-mails