Protecting against CVE-2022-0847 Dirty Pipe Vulnerability
Another local privilege escalation bug in the Linux kernel was recently discovered. Local unprivileged users can utilize an easily exploitable vulnerability in the Linux kernel (CVE-2022-0847), often known as dirty pipe, to get root capabilities on compromised systems by using publicly available exploits.
In this blog post, we will show how this attack works and how to defend against it using AccuKnox open-source.
Before we get into the technical specifics, there are a few terms we should be aware of.
Pipe: A pipe is nothing more than a method for one application to deliver data to another.
Page splicing: A performance hack that allows you to combine data from various pipe pages without having to rewrite it to memory.
Combined pipe page caches are overwritten and are considered to be easily exploitable in Linux kernel memory management. This vulnerability was first discovered in Linux 5.8 when it became possible to combine and rewrite data in a pipe's page cache, according to the disclosure report. AppArmor and Seccomp are important for keeping systems safe, but they do not prevent this vulnerability from being exploited.
Once the attacker has gained access to the victim's computer, he can get root access and take total control of the system. Further, we will see about deploying the pod and testing the exploit, and block access to shell access.
Affected Kernel Versions:
Environment Setup in K8’s
We'll use a Ubuntu 20.04 image to test and exploit, with all of the deployment files coming from the accuknox/samples GitHub repository.
Connect to your GKE and then deploy the ubuntu pod. To do that Just copy and paste the following commands into your terminal.
Now execute into the pod and download the exploit code.
Exploit code execution
We can call this exploit file shell-root.c and the code for it is below.
The exploit overwrites an executable with SUID rights, i.e., one that can execute as the superuser. The exploit substitutes the original executable with a shell, executes it to establish a SUID shell in /tmp, and then leaves the original executable alone.
Now use gcc to build and run the exploit code.
Check out the accuknox-samples directory to see the exploit and deployment files.
We were able to acquire root access successfully. Attackers may now use this to steal sensitive information, change passwords, and do a variety of malicious activities.
When it comes to mitigating vulnerabilities, defenders have a number of alternatives. Each must be weighed against the severity of the impact and danger to the business, as well as time and complexity, cost, and the chance of unforeseen consequences.
AccuKnox provides robust and efficient runtime security threat mitigation.
Under the policy-template repo, we have policies for almost all CVEs that you can use to secure your workloads.. step #1 Clone the policy template repository. You can do that by simply copy-pasting the following command into your terminal to get started.
It will generate policies as a result of this operation. So, in a nutshell, the cve directory provides patches for recently discovered vulnerabilities for different workloads.
KubeArmor Security Policy
KubeArmor is a runtime security platform that can help enterprises safeguard their workloads by limiting process spawning, limiting file system access, and limiting pods capabilities, among other things. KubeArmor has a visibility option that lets you view what's going on within the pods, such as what processes are running, what file access attempts are being made, and so on.
This policy will block all the dependencies run by the exploit and stop the shell access. KubeArmor sends you real-time alerts and logs tagged with the right labels.
KubeArmor will protect cloud workloads and virtual machines. To understand more about what we do, go to AccuKnox
Let us apply the policy. Execute the below command in your terminal.
Once the policy is applied, let us again run the exploit. As you can see, we've been able to prevent shell access. More policies can be found in the policy-template github source.
Simply copy-paste the following command into your terminal to check for logs.
As we've seen, this flaw allows attackers to rewrite any file on the system and escalate their privileges in system and cloud infrastructure by using persistence. Linux users all across the world should maintain their systems up to date.
AccuKnox can now defend your workloads in minutes utilizing Kernel Native Primitives like AppArmor, SELinux, and eBPF, and it's accessible for Kubernetes and other cloud workloads.
Please let us know if you want any extra assistance in developing your cloud security strategy.
More blogs in the Cloud Security category can be found here