Dirty Pipe exploitation attempted
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Goal
Detect exploitation of CVE-2022-0847 “Dirty Pipe”. Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation.
Strategy
This detection triggers when the splice()
syscall is made and the PIPE_BUF_FLAG_CAN_MERGE
flag is set. Explanation of the vulnerability and exploitation can be found in the public disclosure.
Triage & Response
- Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field
splice.pipe_exit_flag
is PIPE_BUF_FLAG_CAN_MERGE
. - Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
- If the host is vulnerable, update the kernel to a patched version.
Requires Agent version 7.35 or greater