| Follow @lancinimarco | Subscribe to CloudSecList

Reading time ~2 minutes

CVE-2022-0847 (aka Dirty Pipe):
What does it mean for defenders

CVE-2022-0847 (aka “Dirty Pipe”) was released earlier this week (2022-03-07).

This blog aims to provide a quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine its impact on their company’s infrastructure.


The vulnerability

From the original disclosure page (“The Dirty Pipe Vulnerability”):

CVE-2022-0847 is a vulnerability in the Linux kernel since 5.8 which allows overwriting data in arbitrary read-only files. This leads to privilege escalation because unprivileged processes can inject code into root processes.

(The page continues providing the technical details of the kernel vulnerability for those interested.)

At the same time, the Aqua Security team provided a higher-level description of the vulnerability, as well as proof of exploitation, in their post titled “ Dirty Pipe Linux Vulnerability: Overwriting Files in Container Images”:

“Dirty Pipe”, is a vulnerability that allows users on a Linux system to overwrite the contents of files that they can read but shouldn’t be able to write to. Looking at this vulnerability from the perspective of hosts using containerization software such as Docker, it was possible to modify files from container images on the host, from inside a container — something that generally shouldn’t be possible.


Means of exploitation

In short, this vulnerability lets a running container change files in its underlying image, as well as any files that are mounted read-only from the underlying host. For example, if the container runtime runs multiple containers generated from the same image, then Dirty Pipe can be used to attack this image, and thus the other containers spawned from it.

To exploit this issue, two conditions must be met:

  1. The kernel version of the host is vulnerable (5.8+).
  2. Attackers can interact with a container on the host.

As from the Aqua Security blog:

The issue is likely to have the most impact where there are many containers running with a shared image file and untrusted users can access individual containers but shouldn’t be able to modify files on the underlying host.

Update 2022-03-09, 11:00AM GMT

It looks like the DirtyPipe vulnerability can also be used for breaking out from unprivileged containers:


Subscribe to CloudSecList

If you found this article interesting, you can join thousands of security professionals getting curated security-related news focused on the cloud native landscape by subscribing to CloudSecList.com.


How does this affect Cloud Providers?

@christophetd started a handy Twitter thread that tries to collate impact on major cloud providers. Here is an up-to-date summary:

Provider Status Description
AWS 🟡
Azure 🟢
  • AKS is not impacted as its kernel uses version 5.4 (ref)
GCP 🔴
  • The issue hasn't been acknowledged yet (ref)

Vanilla versions of Ubuntu do not have a patch available yet (ref).


Conclusions

In this post I provided a quick summary and actionable advice for defenders of cloud environments and those teams who are asked to determine the impact of CVE-2022-0847 on their company’s infrastructure.

I’ll keep updating it as new information (and mitigations) are released.

I hope you found this post useful and interesting, and I’m keen to get feedback on it! If you find the information shared was useful, if something is missing, or if you have ideas on how to improve it, please let me know on Twitter.

Subscribe to CloudSecList

If you found this article interesting, you can join thousands of security professionals getting curated security-related news focused on the cloud native landscape by subscribing to CloudSecList.com.

Marco Lancini

Marco Lancini
Hi, I'm Marco Lancini. I'm a Security Engineer, mainly interested in cloud native technologies and security...  [read more]