The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Voyager18 (research)

How to fix CVE-2022-0847

CVE-2022-0847 - dubbed Dirty Pipe for its similarity to the Dirty Cow vulnerability - has emerged in Linux distributions. Here's everything you need to know about this growing threat.

Ortal Keizman | March 07, 2022

On Monday, a cybersecurity researcher released the details of a Linux vulnerability - CVE-2022-0847 - that allows an attacker to overwrite data in arbitrary read-only files.

Dubbed Dirty Pipe by the researcher due to its similarity to the Dirty Cow flaw, - this vulnerability has already been patched in the Linux and Android kernels. Meanwhile security updates with the patch are being pushed out in affected Linux distributions.  

Here’s what you need to know: 

What is the CVE-2022-0847 vulnerability?

CVE-2022-0847 represents a flaw in how Linux treats pipe buffer flags. The vulnerability lets threat actors to overwrite data in read-only files and SUID binaries to achieve root access. 

For a local kernel vulnerability, this is about as critical as it gets. There’s pretty much no way to mitigate it - just like Dirty Cow - and it targets core Linux functionality. 

While the bug is easy to exploit, it can’t be done remotely – attackers need to have prior access to a vulnerable host to deploy an exploit. But if the Dirty Cow flaw was exploited by attackers in the wild, you can be sure that it won’t be long before they take advantage of Dirty Pipe, too. 

The original write-up from the researcher who discovered the vulnerability contains plenty of information for other security professionals, including a PoC exploit. Other researchers have been able to produce variations of this.

Does it affect me?

The vulnerability affects Linux Kernel 5.8 and later versions but was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.

Has CVE-2022-0847 been actively exploited in the wild?

Any exploit that gives root level access to a Linux system is problematic. 

An attacker with root access has full control over the target system. There’s a good chance that they could leverage that control to reach other system. The risk is slightly lower given the fact that local access is required, but it’s still a vulnerability that should be taken seriously. 

Fixing CVE-2022-0847

Users of various Linux distributions and Android devices should be on the lookout for security updates implementing the patch.

CVE-2022-0847 affects Linux Kernel 5.8 and later versions (possibly even earlier ones), and has been fixed in Linux 5.16.11, 5.15.25 and 5.10.102 and the latest Android kernel.

One thing’s for certain: vulnerabilities aren’t going anywhere. Get ahead of the game with Vulcan Remedy Cloud – the free, comprehensive resource for everything you need to know about how to fix the latest CVEs.  

The Vulcan Cyber platform is a valuable partner in mitigating the continuing threat of vulnerabilities. See it in action.