OSG-SEC-2022-03-09 CRITICAL “dirtypipe” vulnerability in Linux Kernel 5.8 and above

Dear OSG Security Contacts,

A CRITICAL vulnerability has been identified in Linux Kernel versions 5.8 and higher, and a proof-of-concept exploit has been published for Debian and reported for Ubuntu [1][2]. Sites running affected hosts should update to a patched version immediately.

IMPACTED VERSIONS:

Systems running Ubuntu or Debian with Linux Kernel 5.8 or higher. RHEL 8 and derivatives are not susceptible to the published proof-of-concept [3], but may be vulnerable to other undisclosed exploitation methods in the future and should be patched as well.

Kernel version can be checked with “uname -r”.

RHEL 7 and derivatives are not affected [3].

WHAT ARE THE VULNERABILITIES:

An exploit was introduced in Linux Kernel version 5.8 which may allow the writing of arbitrary data to arbitrary files even if they are O_RDONLY, immutable, or on MS_RDONLY filesystems [1]. A usable exploit for this vulnerability has already been published for Debian systems and reported for Ubuntu systems [1][2].

WHAT YOU SHOULD DO:

Hosts running affected versions of Linux should be updated as soon as possible, especially hosts running Debian [4] and Ubuntu [5].

The vulnerability is fixed in kernel versions 5.16.11, 5.15.25, and 5.10.102 [1].

MITIGATIONS

There are currently no mitigations for this vulnerability.

REFERENCES

[1] https://www.openwall.com/lists/oss-security/2022/03/07/1

[2] https://dirtypipe.cm4all.com/

[3] https://access.redhat.com/security/cve/cve-2022-0847

[4] https://security-tracker.debian.org/tracker/CVE-2022-0847

[5] https://ubuntu.com/security/CVE-2022-0847

Please contact the OSG Security team at [email protected] if you have any questions or concerns.

OSG Security team