Dirty Pipe is a vulnerability in the Linux Kernel disclosed Monday morning. Dirty Pipe, or CVE-2022-0847, allows overwriting data in arbitrary read-only files. This can lead to privilege escalation and code injection into root processes. The vulnerability exists in all Linux kernel versions from 5.8 forward and has been patched in Linux 5.16.11, 5.15.25, and 5.10.102.
Dirty Pipe is expected to be patched in the various Linux OS vendors as the day progresses. This vulnerability is similar in nature to Dirty Cow in 2016, but is reportedly easier to exploit.
Given the prevalence of Linux in highly sensitive infrastructure, this is a very important vulnerability to mitigate. It is highly recommended that IT and SecOps admins prioritize patching and remediation of this vulnerability in the next 24 hours to reduce organizational risk from this vulnerability.
Timeline of Events
Security researcher Max Kellermann chronicles the timeline of events leading up to today's vulnerability disclosure. Check out Max’s full technical write-up here.
2021-04-29: first support ticket about file corruption – nearly a year ago, Max discovered an issue thought to be related to corrupt files
2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability
2022-02-20: bug report, exploit and patch sent to the Linux kernel security team
2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team
2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro
2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)
2022-02-24: Google merges my bug fix into the Android kernel
2022-02-28: Linux-distros mailing list is notified
2022-03-07: Vulnerability is publicly disclosed
Recommended Remediation
The Linux kernel is vulnerable in versions 5.8 and forward - this means that most of your Linux distributions are vulnerable. The Linux Kernel Security team has fixed the vulnerability in Linux 5.16.11, 5.15.25, and 5.10.102, so you’ll need to patch your distributions of Linux as they are released. As of Monday morning, not all distributions have patches released to remediate.
If you don’t have an existing Linux patch policy, we recommend a Patch All policy with device targeting for Linux OSes (this will also patch Linux third-parties we cover) to fix this vulnerability fast – ideally within the next 24 hours.
We also recommend a recurring schedule to eliminate your immediate and future risk, as not all distributions have released patches as of Monday morning.
Where can I find information about CISA’s recent “Shields Up” guidance for organizations?
Where can I read about patching my system against state-sponsored cyber attack operations?
Automox for Easy IT OperationsAutomox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.
Grab your free trial of Automox and join thousands of companies transforming IT operations into a strategic business driver.
