Dirty Pipe, CVE-2022-0847, allows non-root user accounts to gain root-level privileges. With the elevated privileges, the user can modify the integrity of files, including read-only files, access files they wouldn’t usually have access to, impacting confidentiality. In extreme cases, they could shut down services or servers, impacting the availability of the services running on them. Beyond the server, this vulnerability also impacts Android-based phones. The problem is present on all Linux kernels going back to kernel 5.8. The problem has been confirmed fixed in versions 5.16.11, 5.15.25, and 5.10.102.
The recently announced flaw in CVE-2022-0847 is in the Linux Kernel. It allows for multiple types of privilege escalations, through multiple publicly available programs that any user can run. Examples include:
Coretek is informing customers of the issue, providing analysis steps to see if their systems have been compromised, and recommending that users update the kernel running on their Linux-based systems to the known patched version.
Coretek advises customers to review the following items for signs of compromise:
If you find a host artifact that indicates your system has been compromised, you’ll need to start your Incident Response Plan for compromised systems.
The known patched kernel versions are 5.16.11, 5.15.25, and 5.10.102. If your system is not showing a sign of compromise, update to a known patched kernel version.
If your system is compromised, see the comment above about starting the Incident Response Plan before patching. Your Incident Response team may need information from the system before upgrading the kernel.
One of the recommendations for hardening a Linux system is to disable root logins; this prevents direct access to the system as the privileged root user. Users should log in with their regular non-privileged accounts and then escalate to root using the sudo command.
To disable Root Login, change “PermitRootLogin” to “no” in /etc/ssh/sshd_config. Then restart the sshd server.
If you are a Coretek customer, have any questions about Coretek remediation actions or your support agreements with Coretek, or are a visitor who would like more information, please get in touch here.