Protecting against CVE-2022-0847 Dirty Pipe Vulnerability

Introduction

Another local privilege escalation bug in the Linux kernel was recently discovered. Local unprivileged users can utilize an easily exploitable vulnerability in the Linux kernel (CVE-2022-0847), often known as dirty pipe, to get root capabilities on compromised systems by using publicly available exploits.  

In this blog post, we will show how this attack works and how to defend against it using AccuKnox open-source.

To know more check out the CVE-2022-0847

Technical summary of CVE-2022-0847

Before we get into the technical specifics, there are a few terms we should be aware of.

Pipe: A pipe is nothing more than a method for one application to deliver data to another.

Page splicing: A performance hack that allows you to combine data from various pipe pages without having to rewrite it to memory.

Combined pipe page caches are overwritten and are considered to be easily exploitable in Linux kernel memory management. This vulnerability was first discovered in Linux 5.8 when it became possible to combine and rewrite data in a pipe's page cache, according to the disclosure report. AppArmor and Seccomp are important for keeping systems safe, but they do not prevent this vulnerability from being exploited.

Once the attacker has gained access to the victim's computer, he can get root access and take total control of the system. Further, we will see about deploying the pod and testing the exploit, and block access to shell access.

Affected Kernel Versions:

• 5.8
• 5.10.96
• 5.16.10

Environment Setup in K8’s

We'll use a Ubuntu 20.04 image to test and exploit, with all of the deployment files coming from the accuknox/samples GitHub repository.

Connect to your GKE and then deploy the ubuntu pod. To do that Just copy and paste the following commands into your terminal.

Kubect1 apply

Now execute into the pod and download the exploit code.

Exploit code

Exploit code 1