Skip to content
  • Why Deepwatch?
    • Squad Delivery Model
    • Deepwatch Platform
    • Deepwatch Secure Score
    • Deepwatch Labs
  • Solutions
    • Managed Detection and Response (MDR)
      • MDR Enterprise
      • MDR Essentials
    • Managed Extended Detection Response (MXDR)
    • Endpoint Detection and Response (EDR)
    • Vulnerability Management (VM)
    • Firewall Management Solution
  • Company
    • About
    • Leadership
    • Careers
    • Contact
  • Partners
    • Channel Partners
    • Technology Alliance Partners
  • Resources
    • Resource Library
    • Blog
    • Case Studies
    • eBooks
    • Whitepapers
    • Datasheets
    • Video
    • Newsroom
    • Events
  • Search
  • Ready to Talk?
×

New Research Report: Security Leaders' Top Challenges & Priorities for 2023

Read Now
03.09.22

Customer Advisory | Linux Vulnerability: Dirty Pipe Has Exploit Code Released

By Eric Ford, 

Published March 09, 2022
Prepared by Deepwatch Threat Intel Team

Key Points:

  • Security researcher Max Kellermann disclosed a vulnerability that affects Linux Kernel versions 5.8 and later to include Android devices.
  • The local privilege escalation vulnerability tracked as CVE-2022-0847, allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.
  • In addition to publicly disclosing the vulnerability, Kellerman also published a proof-of-concept exploit code that was quickly followed up by improved exploit code from another researcher and publicly disclosed. The exploit code could allow a threat actor to inject their data into sensitive read-only files, eliminating restrictions or changing configurations to give them more access than they would have otherwise.
  • Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will incorporate the available exploits to compromise Linux systems. Furthermore, this vulnerability is particularly concerning for colleges and universities that frequently provide shell access to multi-user Linux systems. Therefore, the Deepwatch Threat Intel Team recommends that customers update their Linux kernels to 5.10.102, 5.15.25, or 5.16.11.

Summary

On March 7, security researcher Max Kellermann disclosed a local privilege escalation vulnerability that affects Linux Kernel versions 5.8 and later, including Android devices. The vulnerability, tracked as CVE-2022-0847, allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.

In the disclosure, Kellerman stated that the limitations are:

  • The threat actor must have read permissions.
  • The offset must not be on a page boundary.
  • The write cannot cross a page boundary.
  • The file cannot be resized.

In addition to publicly disclosing the vulnerability, Kellerman also published a proof-of-concept (PoC) exploit code. The exploit code could allow a threat actor to inject their data into sensitive read-only files, eliminating restrictions or changing configurations to give them more access than they would have otherwise.

Shortly after the public disclosure, security researchers started testing the exploit code, with one researcher demonstrating its effectiveness by making sure the root user doesn’t have a password in the /etc/passwd file. After completing this change, a non-privileged user might simply use the ‘su root’ command to get root account access.

However, security researcher BLASTY disclosed an improved exploit that makes gaining root privileges easier by altering the /usr/bin/su command to dump a root shell at /tmp/sh and then executing the script02.

In their statements, they are extorting NVIDIA by threatening to release the 30 series hardware folder, “hw folder,” if NVIDIA does not “push an update for all 30 series firmware that remove lhr limitations.” Nvidia’s lite hash rate technology (LHR) allows graphics cards to minimize the mining capacity.

After executing the command, the user acquires root rights, as verified by BleepingComputer on Ubuntu 20.04.3 LTS running the 5.13.0-27-generic kernel.

Starting on February 20th, 2022, the vulnerability was responsibly disclosed to several Linux maintainers, including the Linux kernel security team and the Android Security Team.

Despite the vulnerability being resolved in Linux kernels 5.10.102, 5.15.25, or 5.16.11, many servers continue to use outdated kernels, making the release of this vulnerability a significant concern for server admins.
Tenable has released plugin ID 158682 to scan for this and other vulnerabilities listed in the dsa-5092 security advisory. At this time Qualys has not publicly disclosed any plugin IDs.

Deepwatch Threat Intelligence Outlook

Deepwatch Threat Intel Team assesses with moderate confidence that threat actors will incorporate the available exploits to compromise Linux systems. Furthermore, this vulnerability is particularly concerning for colleges and universities that frequently provide shell access to multi-user Linux systems. Therefore, the Deepwatch Threat Intel Team recommends that customers update their Linux systems as soon as an update is available for your specific version with the priority for the update going to systems that are internet-facing.

Author: Eric Ford

Subscribe to the Deepwatch Insights Blog

Post navigation

Previous post

Customer Advisory | NVIDIA Confirms Data Was Stolen as Lapsus$ Takes Credit

Next post

Customer Advisory | President Warns of Russian Government Exploring Options for Cyber Attacks

Deepwatch

DENVER
OFFICE & SOC

7800 East Union Avenue
Suite 900
Denver, CO 80237 USA
855.303.3033

TAMPA
OFFICE & SOC

4030 W Boy Scout Blvd.
Suite 550
Tampa, FL 33607 USA
855.303.3033

[email protected]

Why Deepwatch

  • Squad Delivery Model
  • Deepwatch Platform
  • Deepwatch Secure Score
  • Deepwatch Labs

Solutions

  • Managed Detection and Response (MDR)
  • MDR Essentials
  • MDR Enterprise
  • Managed Extended Detection Response (MXDR)
  • Endpoint Detection and Response (EDR)
  • Vulnerability Management (VM)
  • Firewall Management Solution

Company

  • About Us
  • Leadership
  • Careers
  • Contact

Resources

  • Resource Library
  • Insights Blog
  • News
  • Events

Partners

  • Channel Partners
  • Technology Alliance Partners

Contact

  • Let's Talk
  • Customer Login
  • Partner Login
GDPR Badge PCI Badge SOC2 Badge TRUSTe
LinkedIn Twitter YouTube YouTube

© Copyright 2023 Deepwatch incorporated

Trust | Sitemap | Privacy Policy