Dirty Pipe exploitation attempted

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect exploitation of CVE-2022-0847 “Dirty Pipe”. Dirty Pipe is a vulnerability in the Linux kernel which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation.

Strategy

This detection triggers when the splice() syscall is made and the PIPE_BUF_FLAG_CAN_MERGE flag is set. Explanation of the vulnerability and exploitation can be found in the public disclosure.

Triage & Response

  1. Determine if the host is vulnerable. This vulnerability affects kernel versions starting from 5.8. After its discovery, it was fixed for all currently maintained releases of Linux in versions 5.16.11, 5.15.25, and 5.10.102. The exploit was successful if the field splice.pipe_exit_flag is PIPE_BUF_FLAG_CAN_MERGE.
  2. Attempt to contain the compromise (possibly by terminating the workload, depending on the stage of attack) and look for indications of the initial compromise. Follow your organization’s internal processes for investigating and remediating compromised systems.
  3. If the host is vulnerable, update the kernel to a patched version.

Changelog

  • 16 December 2024 - Reduced severity of the case identifying failed attempts

Requires Agent version 7.35 or greater