Everything posted by k2U79!KvW9AXpwAc
-
Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)
Thanks so much for that 🙏🏼 CA is amazing - really makes Unraid, and thus my homelab, useful for me. My big worry about a vulnerability like this is that it makes me hesitant to load new stuff in CA. Would a dockerized app be able to exploit this vulnerability? I expect a VM would isolate the exploit, but since containers share the host kernel, the vulnerability may be passed through as well.
-
Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)
I would be delighted if that was the case. I may be inaccurate describing this purely as a privilege escalation vulnerability. It allows an attacker with access to an unprivileged user (all the way down to "nobody") to "to overwrite any file contents cached in memory. Dirty Pipe can do this even if the file is not permitted to be written." Researchers have demonstrated that this vulnerability can be used to: add an SSH key to the root user's account link hijack an SUID binary to create a root shell link overwrite data in read-only files link I don't have sufficient depth on Unraid's architecture to know whether defense in depth strategies will mitigate this. I just saw that it's a kernel level vulnerability and we're running an effected kernel version.
-
Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)
The Slackware 15.0 release notes say they're on Kernel 5.15.19, so that's vulnerable too. I cannot find any mention of this CVE on the Slackware security advisories.
-
Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)
Search shows zero mentions of CVE-2022-0847 on the forums, so I'm starting a new thread. This is a privilege escalation vulnerability introduced in Linux Kernel 5.8. It is fixed in 5.16.11, 5.15.25, and 5.10.102. Unraid OS 6.9.2 runs Kernel 5.10.28, so the current release of Unraid is vulnerable. Can we get a patch for this? Resources https://dirtypipe.cm4all.com/ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847 https://arstechnica.com/information-technology/2022/03/linux-has-been-bitten-by-its-most-high-severity-vulnerability-in-years/