CVE-2022-0847

Description

A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.

CVSS Metrics

• v3.1•HIGH•Score: 7.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• v2.0•HIGH•Score: 7.2AV:L/AC:L/Au:N/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 81.98%• Percentile: 99%

Techniques & Countermeasures

• CWE-665•Improper Initialization

  The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Affected Systems

• fedoraproject•fedora

  35

• linux•linux_kernel

  ≥ 5.8, < 5.10.102 | ≥ 5.15, < 5.15.25 | ≥ 5.16, < 5.16.11

• netapp•h300e_firmware

  na

• netapp•h300s_firmware

  na

• netapp•h410c_firmware

  na

• netapp•h410s_firmware

  na

• netapp•h500e_firmware

  na

• netapp•h500s_firmware

  na

• netapp•h700e_firmware

  na

• netapp•h700s_firmware

  na

• ovirt•ovirt-engine

  4.4.10.2

• redhat•codeready_linux_builder

  na

• redhat•enterprise_linux

  8.0

• redhat•enterprise_linux_eus

  8.2 | 8.4

• redhat•enterprise_linux_for_ibm_z_systems

  8.0

• redhat•enterprise_linux_for_ibm_z_systems_eus

  8.2 | 8.4

• redhat•enterprise_linux_for_power_little_endian

  8.0

• redhat•enterprise_linux_for_power_little_endian_eus

  8.2 | 8.4

• redhat•enterprise_linux_for_real_time

  8

• redhat•enterprise_linux_for_real_time_for_nfv

  8

• redhat•enterprise_linux_for_real_time_for_nfv_tus

  8.2 | 8.4

• redhat•enterprise_linux_for_real_time_tus

  8.2 | 8.4

• redhat•enterprise_linux_server_aus

  8.2 | 8.4

• redhat•enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions

  8.1 | 8.2 | 8.4

• redhat•enterprise_linux_server_tus

  8.2 | 8.4

• redhat•enterprise_linux_server_update_services_for_sap_solutions

  8.1 | 8.2 | 8.4

• redhat•virtualization_host

  4.0

• siemens•scalance_lpe9403_firmware

  < 2.0

• sonicwall•sma1000

  ≤ 12.4.2-02044

References (11)

• https://bugzilla.redhat.com/show_bug.cgi?id=2060795
• https://dirtypipe.cm4all.com/
• http://packetstormsecurity.com/files/166230/Dirty-Pipe-SUID-Binary-Hijack-Privilege-Escalation.html
• http://packetstormsecurity.com/files/166229/Dirty-Pipe-Linux-Privilege-Escalation.html
• http://packetstormsecurity.com/files/166258/Dirty-Pipe-Local-Privilege-Escalation.html
• https://www.suse.com/support/kb/doc/?id=000020603
• https://security.netapp.com/advisory/ntap-20220325-0005/
• https://cert-portal.siemens.com/productcert/pdf/ssa-222547.pdf
• https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2022-0015
• http://packetstormsecurity.com/files/176534/Linux-4.20-KTLS-Read-Only-Write.html
• https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0847