{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2022-014.pdf"
    },
    "title": "Privilege Escalation Vulnerability in Linux Kernel",
    "serial_number": "2022-014",
    "publish_date": "08-03-2022 10:28:00",
    "description": "On March 7th, a security researcher disclosed the Dirty Pipe vulnerability affecting Linux Kernel 5.8 and later versions. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files including SUID processes that run as root.<br>As per the researcher, the vulnerability is similar to CVE-2016-5195 Dirty Cow, but it is even easier to exploit.",
    "url_title": "2022-014",
    "content_markdown": "---\ntitle: 'Privilege Escalation Vulnerability in\u00a0Linux\u00a0Kernel'\nversion: '1.0'\nnumber: '2022-014'\ndate: 'March 8, 2022'\n---\n\n_History:_\n\n* _08/03/2022 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn March 7th, a security researcher disclosed the _Dirty Pipe_ vulnerability affecting Linux Kernel 5.8 and later versions. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files including SUID processes that run as root [1].\n\nAs per the researcher, the vulnerability is similar to CVE-2016-5195 _Dirty Cow_, but it is even easier to exploit.\n\n# Technical Details\n\nA flaw was found in the way the _flags_ member of the new pipe buffer structure lacked proper initialisation in `copy_page_to_iter_pipe` and `push_pipe` functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read-only files and, as such, escalate their privileges on the system [3].\n\nMultiple variants of the exploit were published by the security researchers to gain root privileges by patching `/usr/bin/su` [4] or by overwriting `/etc/passwd` leading ultimately to a root shell [5].\n\n# Affected Products\n\nThis critical vulnerability affects Linux Kernel 5.8 and later versions, including Android devices.\n\n# Recommendations\n\nThe vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102 [2].\n\nLinux users with an affected kernel version (>=5.8) should apply the patches as soon as they are available.\n\n## Mitigations\n\nCurrently there is no mitigation available and SELinux does not mitigate this flaw.\n\n# References\n\n[1] <https://dirtypipe.cm4all.com/>\n\n[2] <https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/>\n\n[3] <https://access.redhat.com/security/vulnerabilities/RHSB-2022-002>\n\n[4] <https://twitter.com/bl4sty/status/1500822440569708545?s=20&t=P98rSsNmr76cXfhHvrhfmg>\n\n[5] <https://twitter.com/phithon_xg/status/1500902906916081666?s=20&t=n9tJBqhuTd4fm-bz43s2HQ>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>08/03/2022 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On March 7th, a security researcher disclosed the <em>Dirty Pipe</em> vulnerability affecting Linux Kernel 5.8 and later versions. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files including SUID processes that run as root [1].</p><p>As per the researcher, the vulnerability is similar to CVE-2016-5195 <em>Dirty Cow</em>, but it is even easier to exploit.</p><h2 id=\"technical-details\">Technical Details</h2><p>A flaw was found in the way the <em>flags</em> member of the new pipe buffer structure lacked proper initialisation in <code>copy_page_to_iter_pipe</code> and <code>push_pipe</code> functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read-only files and, as such, escalate their privileges on the system [3].</p><p>Multiple variants of the exploit were published by the security researchers to gain root privileges by patching <code>/usr/bin/su</code> [4] or by overwriting <code>/etc/passwd</code> leading ultimately to a root shell [5].</p><h2 id=\"affected-products\">Affected Products</h2><p>This critical vulnerability affects Linux Kernel 5.8 and later versions, including Android devices.</p><h2 id=\"recommendations\">Recommendations</h2><p>The vulnerability was fixed in Linux 5.16.11, 5.15.25 and 5.10.102 [2].</p><p>Linux users with an affected kernel version (&gt;=5.8) should apply the patches as soon as they are available.</p><h3 id=\"mitigations\">Mitigations</h3><p>Currently there is no mitigation available and SELinux does not mitigate this flaw.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://dirtypipe.cm4all.com/\">https://dirtypipe.cm4all.com/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/\">https://www.bleepingcomputer.com/news/security/new-linux-bug-gives-root-on-all-major-distros-exploit-released/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://access.redhat.com/security/vulnerabilities/RHSB-2022-002\">https://access.redhat.com/security/vulnerabilities/RHSB-2022-002</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/bl4sty/status/1500822440569708545?s=20&t=P98rSsNmr76cXfhHvrhfmg\">https://twitter.com/bl4sty/status/1500822440569708545?s=20&amp;t=P98rSsNmr76cXfhHvrhfmg</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/phithon_xg/status/1500902906916081666?s=20&t=n9tJBqhuTd4fm-bz43s2HQ\">https://twitter.com/phithon_xg/status/1500902906916081666?s=20&amp;t=n9tJBqhuTd4fm-bz43s2HQ</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}