CVSS 7.8 “Dirty Pipe” Vulnerability Disclosed in Linux Kernel

Dirty Pipe is a vulnerability in the Linux Kernel disclosed Monday morning. Dirty Pipe, or CVE-2022-0847, allows overwriting data in arbitrary read-only files. This can lead to privilege escalation and code injection into root processes. The vulnerability exists in all Linux kernel versions from 5.8 forward and has been patched in Linux 5.16.11, 5.15.25, and 5.10.102.

Dirty Pipe is expected to be patched in the various Linux OS vendors as the day progresses. This vulnerability is similar in nature to Dirty Cow in 2016, but is reportedly easier to exploit.

Given the prevalence of Linux in highly sensitive infrastructure, this is a very important vulnerability to mitigate. It is highly recommended that IT and SecOps admins prioritize patching and remediation of this vulnerability in the next 24 hours to reduce organizational risk from this vulnerability.

Timeline of Events

Security researcher Max Kellermann chronicles the timeline of events leading up to today's vulnerability disclosure. Check out Max’s full technical write-up here.

  • 2021-04-29: first support ticket about file corruption – nearly a year ago, Max discovered an issue thought to be related to corrupt files

  • 2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability

  • 2022-02-20: bug report, exploit and patch sent to the Linux kernel security team

  • 2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team

  • 2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro

  • 2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)

  • 2022-02-24: Google merges my bug fix into the Android kernel

  • 2022-02-28: Linux-distros mailing list is notified

  • 2022-03-07: Vulnerability is publicly disclosed

Recommended Remediation

The Linux kernel is vulnerable in versions 5.8 and forward - this means that most of your Linux distributions are vulnerable. The Linux Kernel Security team has fixed the vulnerability in Linux 5.16.11, 5.15.25, and 5.10.102, so you’ll need to patch your distributions of Linux as they are released. As of Monday morning, not all distributions have patches released to remediate.

If you don’t have an existing Linux patch policy, we recommend a Patch All policy with device targeting for Linux OSes (this will also patch Linux third-parties we cover) to fix this vulnerability fast – ideally within the next 24 hours.

We also recommend a recurring schedule to eliminate your immediate and future risk, as not all distributions have released patches as of Monday morning.

  1. Where can I find information about CISA’s recent “Shields Up” guidance for organizations?

  2. Is there any patching advice regarding the recent vulnerabilities in Adobe Commerce and Magento Open Source?

  3. Where can I read about patching my system against state-sponsored cyber attack operations?

    Automox for Easy IT Operations

    Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day. 

    Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic