Security researchers have discovered and released information on new vulnerabilities and kernel level exploits to the public. The vulnerabilities: CVE-2022-049 and CVE-2022-0847 are some of the highest severity exploits and affect out-of-date Linux distros. Due to the similarities with the execution of the 2016 “Dirty Cow” exploit, CVE-2022-0847 has been dubbed the “Dirty Pipe” exploit. Using the vulnerability, an attacker can have complete root access to a device. Barracuda MSP recommends updating all vulnerable Linux distros immediately.
Technical Detail and Additional Info
What is the threat?
CVE-2022-0847, also known as “Dirty Pipe” was discovered by security researcher Max Kellerman. In a proof-of-concept demonstration, Kellerman was able to demonstrate a kernel level vulnerability within multiple Linux distros. Essentially, these distros contain a bug within the “pipeline” of multiple processes sending data to each other. The vulnerability allows for unprivileged users to be able to inject code into “read only” files and modify configurations allowing them to easily obtain root access among many other attacks.
Why is it noteworthy?
The exploit makes it easy for any user to be able to gain unfettered access to a system with a root level shell. Although the issue has been patched in Linux kernels 5.16.11, 5.15.25, and 5.10.102, many servers continue to operate using outdated kernels, making the release of this exploit one of the highest severity releases in recent Linux history. It is also notable that the previous exploit this vulnerability takes its name from, “dirty cow”, was used extensively by malware, and this vulnerability is even easier for threat actors to take advantage of.
What is the exposure or risk?
Kellermann released the ‘Dirty Pipe’ vulnerability and stated that it “affects Linux Kernel 5.8 and later versions, even on Android devices.” This leaves a large attack vector for those running Linux servers with outdated kernels. If an attacker were to exploit this vulnerability they could move laterally to other devices in the environment, add/remove/modify files at will, and much more.
What are the recommendations?
Barracuda MSP recommends patching and updating all Linux kernels to versions 5.16.11, 5.15.25, and 5.10.102 or higher. We recommend acting immediately because threat actors will almost assuredly be using this exploit for attacks immediately due to its ease of use and wide availability.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/
- https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
- https://arstechnica.com/information-technology/2022/03/linux-has-been-bitten-by-its-most-high-severity-vulnerability-in-years/
If you have any questions, please contact our Security Operations Center.
This post was based on a threat advisory issued by our Barracuda Managed XDR team. For more info on how to best prepare your MSP business to protect clients from cyberthreats, visit the Barracuda Managed XDR page.