Detecting and responding to Dirty Pipe with Elastic


In recent days, several security vendors have published blogs about the Linux-based exploitation (CVE-2022-0847), also known as Dirty Pipe. The Elastic Security Research team is sharing the first detailed research to help organizations find and alert on the exploitation with Elastic Security products. 

We are releasing this research so that users can defend themselves, since very little information has been shared on the actual detection of exploitation attempts. We will post more to this blog as new findings are identified in the community. 

What is Dirty Pipe? 

CVE-2022-0847 is a Linux local privilege escalation vulnerability, discovered by security researcher Max Kellermann, that takes advantage of the way the Linux kernel manages page files and named pipes allowing for the overwriting of data in read-only files.

How does it work?

The vulnerability can be exploited due to a flaw in the new pipe buffer structure where a flag member lacked proper initialization and could then contain a stale value. This could then be used to write to pages within the page cache behind read-only files, allowing for privilege escalation. Given the specific nature of this vulnerability, detection can be quite difficult.

Elastic’s research on Dirty Pipe demonstrates how the vulnerability can be detected via Auditd, what countermeasures can be used once detected, and how to respond to this exploit using Elastic Security. 

If you haven’t checked out the Elastic Security solution, take a look at our Quick Start guides (bite-sized training videos to get you started quickly) or our free fundamentals training courses

You can always get started with a free 14-day trial of Elastic Cloud. Or download the self-managed version of the Elastic Stack for free.