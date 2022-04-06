This blog provides threat analysts a guide to detecting an arbitrary file overwrite vulnerability in Linux Kernel, also known as Dirty Pipe. Dirty Pipe is a local privilege escalation vulnerability that is tracked as CVE-2022-0847. It has a CVSS score of 7.8 and was discovered by IONOS software developer Max Kellermann.

This vulnerability exists in Linux kernel and exploits the flaw in Linux Kernel memory management in the way pipe page caches are merged and overwrites other page caches. The vulnerability is easy to exploit and allows a low-privileged user to escalate to root privilege on the host. There have also been various public proof-of-concept exploits.

Attackers can abuse this flaw to write to pages in the page cache of read-only files. They can also execute their code to escalate their privileges on the system.

The following sections outline how to detect the abuse of this vulnerability using Trend Micro Vision One™ and Trend Micro Cloud One™.

Trend Micro Cloud One™ - Workload Security

Modules

1. Log Inspection

Through this module, we can tap into the authentication-related events on the host.

Upon the execution of the proof of concept, we can deduce suspicious activity based on observations on "/var/log/auth.log". Successful exploitation can create the following system logs that can be used for detection. It should be noted, however, there are also cases where the exploitation of this vulnerability does not leave any trace in the logs.