Lucene search

rapid7blogCaitlin CondonRAPID7BLOG:C89CBECF94C64F41DF3E509527A73690
HistoryMar 09, 2022 - 10:25 p.m.

CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel

Caitlin Condon

0.076 Low




CVE Disclosure AttackerKB IVM Content Patching Urgency Blog’s Last Update
CVE-2022-0847 Original disclosure AttackerKB March 10, 2022 When practical March 10, 2022 3:21 PM EST

CVE-2022-0847: Arbitrary File Overwrite Vulnerability in Linux Kernel

On March 7, 2022, CM4all security researcher Max Kellermann published technical details on CVE-2022-0847, an arbitrary file overwrite vulnerability in versions 5.8+ of the Linux kernel. Nicknamed “Dirty Pipe,” the vulnerability arises from incorrect Unix pipe handling, where unprivileged processes can corrupt read-only files. Successful exploitation allows local attackers to escalate privileges by modifying or overwriting typically inaccessible files — potentially including root passwords and SUID binaries.

CVE-2022-0847 affects Linux kernel versions since 5.8. Read Rapid7’s full technical analysis of the vulnerability in AttackerKB, including PoC and patch analysis.

While CVSS is not yet available, CVE-2022-0847 will likely carry a “High” severity rating rather than a “Critical” one given the authentication requirement. Multiple public exploits are available, including a proof of concept from the original disclosure and a Metasploit module. We are not aware of any reports of exploitation in the wild as of March 9, 2022.

This is a “patch, but no need to panic” situation. With that said, a few factors make this bug stand out a bit more than the average local privilege escalation (LPE) vuln. First and foremost, this is a simple attack to execute once initial access has been obtained, and it offers adversaries broad avenues for privileged operations after sensitive files (like root passwords) have been modified. Security researchers have also demonstrated that in some cases, public exploit code can be used to escape containers in that files modified inside the container also get modified on the host. Finally, the lingering specter of Log4Shell means that there may be a higher chance that attackers already have local access required to execute a privilege escalation attack on Linux systems.

Updates to Linux distributions have been trickling out. Organizations should apply the latest patches as soon as they are available and reboot systems.

Rapid7 customers

The March 10 content release for InsightVM and Nexpose includes checks for CVE-2022-0847 for Debian, Ubuntu, and SUSE. Coverage for Amazon Linux, Red Hat Linux, and CentOS Linux is available in the March 11 content update.


Get the latest stories, expertise, and news about security today.