CVE-2022-0847: Dirty Pipe Kernel Vulnerability

Environment

At this time we believe Arrikto products are not affected by this exploit due to the fact that the latest kernel we Arrikto uses is Linux version 5.4.

Issue

CVE-2022-0847, is a vulnerability in the Linux kernel since version 5.8 which allows overwriting data in arbitrary read-only files.

This can lead to privilege escalation because unprivileged processes can alter security-critical configuration files or executables.

This affects Linux Kernel releases from 5.8 onwards (since August 2020). This vulnerability is patched since 2022-02-23, in kernel releases 5.16.11, 5.15.25 and 5.10.102.

It is similar to CVE-2016-5195 “Dirty Cow” but is easier to exploit.

Resolution

If you wish to check your running Kernel version perform the following steps:ssh into your environment and check each instance by running the following command:

kubectl get nodes -o json | jq -r '.items[].status.nodeInfo.kernelVersion'

In the unlikely event you find an unpatched >= 5.8 kernel, contact Arrikto support prior to upgrading. Simply upgrading will cause a mismatch between the running kernel and the kernel modules needed by the Rok storage subsystem. Arrikto Support will have to generate new kernel modules for that specific kernel.

Root Cause

The root cause for this vulnerability is documented at this link: https://dirtypipe.cm4all.com/