Skip to content

Search the site

"Dirty Pipe" Linux vulnerability now being exploited

Well a Metasploit module has been available for a while...

The Linux vulnerability dubbed Dirty Pipe is now being actively exploited in the wild, CISA has confirmed. (Assigned CVE-2022-0847 and first publicly disclosed on March 7, the escalation of privileges (EOP) vulnerability exists in all Linux kernel versions from 5.8 forward and lets a read-only attacker gain root.)

CISA confirmed Dirty Pipe exploitation in an update to the "Known Exploited Vulnerabilities Catalog" -- a list of exploited software bugs that all Federal Civilian Executive Branch (FCEB) agencies must patch -- that added seven new exploited vulnerabilities to its list, which now includes 654 actively abused vulnerabilities.

(These also included CVE-2022-29464,  CVE-2022-26904,  CVE-2022-21919,  CVE-2021-41357,  CVE-2021-40450 and  CVE-2019-1003029, which CISA requires to be patched by May 16, 2022, under strict new rules.)

The Dirty Pipe vulnerability was first reported by German software engineer Max Kellermann who noted in his iitial write-up: “To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts).”

See: 7 free enterprise-ready security tools to use

Kellerman publicly disclosed (after coordinating with the Linux kernel and Android security teams) a proof-of-concept CVE-2022-0847 exploit alongside his write-up which was soon augmented by other security researchers, with one, Phith0n, for example showing how they could use the Dirty Cow exploit to modify the /etc/passwd file so that the root user does not have a password so any user can execute the 'su root' command for full access.

With an updated exploit by BLASTY as tracked by Bleeping Computer making it even easier to gain root privileges by patching the /usr/bin/su command to drop a root shell at /tmp/sh and then executing the script, newly confirmed exploitation by CISA is hardly surprising at this point: the vulnerability had a Metasploit module spun up for it within days of disclosure making post-breach abuse even easier for Red Teams or other attackers.

Red Hat made a vulnerability detection script available here. Refer to other Linux vendors/distros' guidance for detection of exposed instances and how to patch or mitigate for those napping.

Dirty Pipe exploited

The Dirty Pipe vulnerability was disclosed just eight weeks after a critical vulnerability in a programme installed by default on every major Linux distribution was identified and allocated CVE-2021-4034.

Dubbed PwnKit it also gives any unprivileged user the ability to easily gain root access in a potential nightmare for security teams hoping to prevent lateral movement by hackers who have gained a toe-hold in their systems. The vulnerability is in polkit’s pkexec, a SUID-root programme that’s ubiquitous across Linux boxes and used to control system-wide privileges in Unix-like operating systems. It was found by the research team at Qualys.

US National Security Agency (NSA) Cybersecurity Director Rob Joyce noted on Twitter that the bug “has me concerned. Easy and reliable privilege escalation preinstalled on every major Linux distribution. Patch ASAP or use the simple chmod 0755 /usr/bin/pkexec mitigation. There are working POCs in the wild” he added.

As ever, patch your boxes if you humanly can.

Follow The Stack on LinkedIn