Summary
CVE: CVE-2022-0847
Priority: High
Affected Products: Linux kernels after version 5.8 and prior to 5.10.102, 5.15.25, and 5.16.11
Analysts identified a new Linux vulnerability dubbed “Dirty Pipe” that allows threat actors to gain root privileges via exploits which are available in the public domain. Dirty Pipe is a Linux kernel vulnerability introduced in its current form in version 5.8 that allows attackers to overwrite data in arbitrary read-only files. Once executed, this exploit grants privilege escalation and injects code into root processes. While this exploit is similar to CVE-2016-5195 “Dirty Cow” which was fixed in 2016, Dirty Pipe is easier to exploit.
The Dirty Pipe vulnerability was addressed in Linux kernel versions 5.10.102, 5.15.25, and 5.16.11.
Analysis
Potential Impact
Successfully exploited, Dirty Pipe could allow attackers to overwrite arbitrary data into read-only files and could allow attackers to completely take over an infected system.
CVE-2022-0847 affects Linux Kernel versions 5.8 and later, including versions run on Android devices, and allows threat actors to inject and overwrite data in read-only files, including SUID processes that run as root.
Analysts released a proof-of-concept (PoC) exploit that allows users to inject data into the read-only files, remove restrictions, or modify configurations to provide greater access than normally allowed with this exploit. An attacker could use this exploit to modify the /etc/passwd file to erase the root user’s password. Attackers could then execute the 'su root' command to gain access to the root account once the root user’s password has been deleted.
Analysts also identified an updated exploit that could grant threat actors root privileges by patching the /usr/bin/su command and dropping a root shell at /tmp/sh, then executing the script. Attackers can gain root privileges once this script is executed.
Although patched in Linux kernel versions 5.10.102, 5.15.25, and 5.16.11, this vulnerability remains a significant security threat for network defenders as many servers continue to run outdated kernels. Dirty Pipe is a particular security threat for web hosting providers offering Linux shell access, or for universities that commonly provide shell access to multi-user Linux systems.
Recommendations
Dirty Pipe and the PoC exploit releases are attractive tools for threat actors. Recommend that organizations check their Linux kernel version. If the kernel is 5.x, organizations should update to 5.10.102, 5.15.25 or 5.16.11 after conducting the appropriate testing and evaluation.
References
https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/https://dirtypipe.cm4all.com/
https://nakedsecurity.sophos.com/2022/03/08/dirty-pipe-linux-kernel-bug-lets-anyone-to-write-to-any-file/
https://access.redhat.com/security/cve/cve-2022-0847
https://security-tracker.debian.org/tracker/CVE-2022-0847
https://www.suse.com/security/cve/CVE-2022-0847.html
https://ubuntu.com/security/CVE-2022-0847
No comments:
Post a Comment