Dirty Pipe exploitation attempted
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect exploitation of CVE-2022-0847 “Dirty Pipe”. Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation.
Strategy
This detection triggers when the splice()
syscall is made and the PIPE_BUF_FLAG_CAN_MERGE
flag is set. Explanation of the vulnerability and exploitation can be found in the public disclosure.
Triage & Response
- Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field
splice.pipe_exit_flag
is PIPE_BUF_FLAG_CAN_MERGE
. - Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
- If the host is vulnerable, update the kernel to a patched version.
Changelog
- 16 December 2024 - Reduced severity of the case identifying failed attempts
Requires Agent version 7.35 or greater