MCP Insights

Cybersecurity Threat Advisory: ‘Dirty Pipe’ Linux Vulnerability Provides Easy Privilege Escalation

Posted on March 16, 2022 by Mike Beagles

Advisory Overview

Security researchers discovered and released information to the public regarding new vulnerabilities and kernel-level exploits. The vulnerabilities — CVE-2022-049 and CVE-2022-0847 — are two of the highest-severity exploits and affect out-of-date Linux distributions, aka “distros.”

Linus users typically obtain their operating system by downloading a distro, which is a software collection that contains the Linux kernel and a package management system.

Due to similarities with the execution of the 2016 “Dirty Cow” exploit, CVE-2022-0847 has been dubbed the “Dirty Pipe” exploit. Using the vulnerability, an attacker can have complete root access to a device. MCP recommends updating all vulnerable Linus distros immediately.

What Is the Threat?

CVE-2022-0847 was discovered by security researcher Max Kellerman. In a proof-of-concept demonstration, Kellermann identified a kernel-level vulnerability within multiple Linux distros. Essentially, these distros contain a bug within the “pipeline” of multiple processes that send data to each other. The vulnerability enables unprivileged users to inject code into read-only files and modify configurations, which allows them to easily obtain root access among many other attacks.

Why Is It Noteworthy?

The exploit makes it easy for any user to gain unfettered access to a system with a root-level shell. Although the issue has been patched in Linux kernels 5.16.11, 5.15.25, and 5.10.102, many servers continue to operate using outdated kernels, making the release of this exploit one of the highest-severity releases in recent Linux history. It also is notable that the previous exploit from which this vulnerability takes its name, “Dirty Cow,” was used extensively by malware, and this vulnerability is even easier for cyberattackers to leverage.

What Is the Risk?

Kellermann released the “Dirty Pipe” vulnerability and stated that it “affects Linux Kernel 5.8 and later versions, even on Android devices.” This leaves a large attack vector for those running Linux servers with outdated kernels. If an attacker were to exploit this vulnerability they could move laterally to other devices in the environment, add/remove/modify files at will, and much more.

What Are the Recommendations?

MCP recommends patching and updating all Linux kernels to versions 5.16.11, 5.15.25, and 5.10.102 or higher. We also recommend acting immediately because cyberattackers almost assuredly will be using this exploit for attacks due to its ease of use and wide availability.


For more in-depth information about the recommendations, please visit the following link:

As part of our effort to inform our clients about potential and serious cybersecurity issues, MCP provides advisories about vulnerabilities and exploits that could threaten the operations of their critical communications networks. Sign up to receive these advisories in your inbox as soon as they are released.

Subscribe to Newsletter