취약점 집중 조명: 더티 파이프

편집자 주: 다음 게시물은 보고서 전문에서 발췌한 것입니다. 전체 분석 내용을 읽으려면 여기를 클릭하여 PDF 보고서를 다운로드하세요.

This report provides an overview, technical analysis, and mitigations for CVE-2022-0847. Sources include the Recorded Future® Platform, GitHub, and open-source reporting. The intended audience for this report is defenders and analysts who are interested in how CVE-2022-0847 exploits work, as well as current mitigations that can be employed.

Executive Summary

CVE-2022-0847 (Dirty Pipe) is a Linux kernel vulnerability that was disclosed in early March 2022. The vulnerability was introduced in Linux kernel version 5.8 and allows for local privilege escalation via arbitrary file overwrites. An example proof-of-concept (POC) exploit was released with the disclosure, and since then several other POCs have been published on GitHub. The public exploits are reliable and only require a small number of prerequisites to work, such as having read permissions to a targeted file. Given the nature of this vulnerability, there are many different files that can be targeted for privilege escalation; therefore, this report highlights the techniques used by existing POC exploits. CVE-2022-0847 was patched in Linux kernel versions 5.16.11, 5.15.25, and 5.10.102, and all major Linux-based distributions have incorporated patches into their package repositories. Organizations should apply the recommended patches as soon as possible.

주요 관찰 사항

• CVE-2022-0847 existed in the wild for roughly 2 years, although there is no evidence that it was exploited prior to its public disclosure.
• 여러 POC 익스플로잇이 공개되어 있어 정교하지 않은 공격자들도 이 취약점을 쉽게 익스플로잇할 수 있습니다.
• Exploits for CVE-2022-0847 are reliable and allow an attacker to gain root access when run on a vulnerable system. The root access enables the threat actor to perform administrative tasks such as reading sensitive files, installing malicious software, impersonating users, and potentially moving laterally throughout the network.
• The only mitigation for CVE-2022-0847 is to apply security patches, which are available for all major Linux distributions.
• Recorded Future has observed over 90 underground forum references to CVE-2022-0847 since it was disclosed, illustrating a general interest and potential intent to exploit the vulnerability in future campaigns.

배경

CVE-2022-0847 is a privilege escalation vulnerability in the Linux kernel that allows arbitrary files to be overwritten if the attacker has read access to the file. The vulnerability was introduced into the Linux kernel in version 5.8 and existed for roughly 2 years before being discovered and patched. It was discovered by Max Kellermann, who gave it the nickname “Dirty Pipe” due to its similarities with CVE-2016-5195 (aka “Dirty Cow”). Kellermann identified the vulnerability on February 19, 2022, and initiated a coordinated vulnerability disclosure the following day by submitting a bug report, POC exploit, and patch to the Linux kernel security team. Once patches were in place, the vulnerability was publicly disclosed on March 7, 2022. At this time, there is no evidence that CVE-2022-0847 was exploited in the wild prior to its disclosure.

이 버그 자체는 CVSS 3.0 척도에서 높은 등급(7.8)을 받았습니다. Linux 기반 운영 체제(OS)의 광범위한 특성을 고려할 때, 이 취약점은 Linux 기반 OS를 실행하는 데스크톱과 서버뿐만 아니라 많은 디바이스에 영향을 미칩니다. 취약한 디바이스에는 다양한 사물 인터넷(IoT) 디바이스, 라우터, Android 태블릿 및 휴대폰이 포함됩니다. 이 취약점을 원격으로 악용하는 것은 불가능하지만, 원격 코드 실행(RCE) 취약점과 연결되어 로컬 액세스 없이 사용될 수 있습니다. 또한 5.8 이전의 Linux 커널 버전과 패치된 버전으로 업데이트된 커널 버전은 영향을 받지 않으므로 모든 디바이스가 취약한 것은 아닙니다.

In a search of underground and dark web sources, we identified numerous discussions pertaining to CVE-2022-0847. While it is uncommon for threat actors to publicly disclose their intentions of targeting specific organizations using a particular CVE, a general interest shared by dark web forum members indicates threat actors’ intent to use CVE-2022-0847 in malicious campaigns. We identified 120 references to CVE-2022-0847 across multiple dark web forums over the past 2 months, as shown in Figure 1 below.

Figure 1: References for CVE-2022-0847 or Dirty Pipe on dark web forums (Source: Recorded Future)

편집자 주: 다음 게시물은 보고서 전문에서 발췌한 것입니다. 전체 분석 내용을 읽으려면 여기를 클릭하여 PDF 보고서를 다운로드하세요.