Our Cloud Security Initiative
Secure Your Container Workloads
A new Critical Linux vulnerability was disclosed to the public on 7th March by Max Kellermann. It’s tracked as CVE-2022-0847 and has a severity score of 7.8 (HIGH).
This Dirty Pipe Vulnerability is similar to the Dirty Cow Vulnerability, recorded as CVE-2016-5195. But, is much easier to exploit. Dirty Cow vulnerability surfaced in October 2016.
This vulnerability is called Dirty Pipe Vulnerability since it enables attackers to perform insecure interactions between Linux files and Linux Pipe (in-memory data buffer), which can act like a file. Even though the file is flagged as read-only, modifying the in-memory copy acts as a write to the file system.
To read and understand how Max analyzed the bug, go here. It has all the nitty-gritty details and has all the background around the vulnerability.
Impact of Dirty Pipe Vulnerability on Containers
This allows escalation of privileges, as part of the unprivileged process, by injecting code into root processes and overwriting data in arbitrary read-only files. And this could let attackers take control of vulnerable systems.
Max Kellermann highlights, “To make this vulnerability more interesting, it not only works without write permissions, but it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”.
For Container workloads, if exploited, a user in a running Docker container can overwrite files in the image. This would mean attackers can modify files in the host from the container, which generally should not be allowed and possible.
Depending on the architecture of your Containers’ environment, it could be serious. If an attacker gets access to a single container on the host (in a vulnerable kernel), an attacker can modify the image itself or the files in read-only mounts from the host. If a shared image file is used by many containers, an attacker can make the most damage.
Max has shared his Proof Of Concept exploit here.
Here are a few simple commands for a PoC.
— BLASTY (@bl4sty) March 7, 2022
Talk about 2 POC of DirtyPipe(CVE-2022-0847)
Original POC: https://t.co/QBHYU6i33N is able to overwrite arbitrary file with offset like ./exp /etc/passwd 5 “:0:0:rootx”
Improved POC: https://t.co/qurmceoXI8 is able to overwrite a SUID program like ./exp /usr/bin/su pic.twitter.com/telIWSYG67
— Phith0n (@phithon_xg) March 7, 2022
uname -r to check your kernel version. If it’s 5.10.102, 5.15.25, or 5.16.11 then you are okay.
If you are on Kernel 5.8 or higher, it definitely needs to be patched. Currently, there is no mitigation available for this flaw. Customers should update to fixed packages, once they are available.
Max Kellermann explained that the vulnerability affects Linux Kernel 5.8 and later versions but was fixed in Linux 5.16.11, 5.15.25, and 5.10.102.
It’s always recommended to upgrade the kernel regularly and reboot the host post-upgrade. This will ensure that the patches are enabled and effective. This applies to all the Linux kernel vulnerabilities.
How can Cloudanix help?
Cloudanix helps you to improve your Cloud Security. Our platform offers CSPM, CIEM, and CWPP (Container Vulnerability) all in one – so your Kubernetes-based workloads running in any cloud or bare-metal can be secure. You can sign up for a free trial today!