Post Syndicated from Caitlin Condon original https://blog.rapid7.com/2022/03/09/cve-2022-0847-arbitrary-file-overwrite-vulnerability-in-linux-kernel/
| CVE | Disclosure | AttackerKB | IVM Content | Patching Urgency | Blog’s Last Update |
|---|---|---|---|---|---|
| CVE-2022-0847 | Original disclosure | AttackerKB | March 9, 2022 | When practical | March 9, 2022 5:30 PM EST |
On March 7, 2022, CM4all security researcher Max Kellermann published technical details on CVE-2022-0847, an arbitrary file overwrite vulnerability in versions 5.8+ of the Linux kernel. Nicknamed “Dirty Pipe,” the vulnerability arises from incorrect Unix pipe handling, where unprivileged processes can corrupt read-only files. Successful exploitation allows local attackers to escalate privileges by modifying or overwriting typically inaccessible files — potentially including root passwords and SUID binaries.
CVE-2022-0847 affects Linux kernel versions since 5.8. Read Rapid7’s full technical analysis of the vulnerability in AttackerKB, including PoC and patch analysis.
While CVSS is not yet available, CVE-2022-0847 will likely carry a “High” severity rating rather than a “Critical” one given the authentication requirement. Multiple public exploits are available, including a proof of concept from the original disclosure and a Metasploit module. We are not aware of any reports of exploitation in the wild as of March 9, 2022.
This is a “patch, but no need to panic” situation. With that said, a few factors make this bug stand out a bit more than the average local privilege escalation (LPE) vuln. First and foremost, this is a simple attack to execute once initial access has been obtained, and it offers adversaries broad avenues for privileged operations after sensitive files (like root passwords) have been modified. Security researchers have also demonstrated that in some cases, public exploit code can be used to escape containers in that files modified inside the container also get modified on the host. Finally, the lingering specter of Log4Shell means that there may be a higher chance that attackers already have local access required to execute a privilege escalation attack on Linux systems.
Updates to Linux distributions have been trickling out. Organizations should apply the latest patches as soon as they are available and reboot systems.
Rapid7 customers
Upcoming content releases for InsightVM and Nexpose customers will provide checks for CVE-2022-0847 as supported Linux vendors publish distribution-specific security advisories and updated packages. Checks for Debian and Ubuntu are expected March 9, with SUSE to follow later in the week. Red Hat has not yet published any errata at this time.