Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)


Recommended Posts

Search shows zero mentions of CVE-2022-0847 on the forums, so I'm starting a new thread. This is a privilege escalation vulnerability introduced in Linux Kernel 5.8. It is fixed in 5.16.11, 5.15.25, and 5.10.102. Unraid OS 6.9.2 runs Kernel 5.10.28, so the current release of Unraid is vulnerable.

 

Can we get a patch for this?

 

Resources

https://dirtypipe.cm4all.com/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847

https://arstechnica.com/information-technology/2022/03/linux-has-been-bitten-by-its-most-high-severity-vulnerability-in-years/

  • Upvote 3
Link to comment
  • k2U79!KvW9AXpwAc changed the title to Unraid OS 6.9.2 vulnerable to Dirty Pipe (CVE-2022-0847)
3 minutes ago, JonathanM said:

How would this specific exploit work in Unraid? Unlike typical linux installs, ONLY root is allowed console login, so no privilege escalation attack from that vector, right?

 

Since Unraid operates so differently from normal setups, I'm having a hard time picturing how this effects us.

 

I would be delighted if that was the case.

 

I may be inaccurate describing this purely as a privilege escalation vulnerability. It allows an attacker with access to an unprivileged user (all the way down to "nobody") to "to overwrite any file contents cached in memory. Dirty Pipe can do this even if the file is not permitted to be written."

 

Researchers have demonstrated that this vulnerability can be used to:

  • add an SSH key to the root user's account link
  • hijack an SUID binary to create a root shell link
  • overwrite data in read-only files link

I don't have sufficient depth on Unraid's architecture to know whether defense in depth strategies will mitigate this. I just saw that it's a kernel level vulnerability and we're running an effected kernel version.

Link to comment

Looks like Slackware 15 did a kernel upgrade on march 2nd to 5.16.12 and 5.16.11 had the patch so depending on RC3 base it may make it.  Worse case I would expect in the final release.

 

in terms of the vector for attack, seems like a carefully crafted plug-in could get it done.

Edited by txwireless
Link to comment
5 minutes ago, txwireless said:

 

in terms of the vector for attack, seems like a carefully crafted plug-in could get it done.

But plugins run as root anyway, so nothing has changed? Unraid is extremely vulnerable in one sense, as a malicious plugin can do damage regardless of this exploit.

 

I'm just not seeing how this exploit changes Unraid's exposure.

Link to comment
2 hours ago, Squid said:

Which is why every single plugin regardless of author undergoes a code inspection prior to inclusion in CA

 

Thanks so much for that 🙏🏼

 

CA is amazing - really makes Unraid, and thus my homelab, useful for me. My big worry about a vulnerability like this is that it makes me hesitant to load new stuff in CA.

 

Would a dockerized app be able to exploit this vulnerability? I expect a VM would isolate the exploit, but since containers share the host kernel, the vulnerability may be passed through as well.

Link to comment
1 hour ago, k2U79!KvW9AXpwAc said:

My big worry about a vulnerability like this is that it makes me hesitant to load new stuff in CA.

Plugins don't particularly worry me.  We're a small club of authors, and no one gets a free pass on inspection, and we also all have to deal with certain employees of Limetech doing another random inspection looking for other types of vulnerabilities.

 

I'm more concerned about users installing a random container from a dockerHub search (not anything within CA itself) that might contain something unexpected (eg: mining software).  The sweet thing about docker apps in particular is that they all only have access to files and folders that you've explicitly given them permission to have, so any malicious intent (eg: ransomware) is limited.  Once again, this is about stuff that's on a dockerHub search, not CA itself.

 

Both CA and FCP know what's going on with the apps installed, and if (big if) something ever malicious snuck through immediate steps are done to both alert the user and myself to what's happening.

Link to comment
19 hours ago, JonathanM said:

How would this specific exploit work in Unraid? Unlike typical linux installs, ONLY root is allowed console login, so no privilege escalation attack from that vector, right?

 

Since Unraid operates so differently from normal setups, I'm having a hard time picturing how this effects us.

 

Correct me if I am wrong but:

 

1) You can have different user for your SMB share.

2) You can have different user for SSH

3) You have "Docker user". Some containers are set up to allow you to specify a UID/GID to be used by passing it in as an environment variable.

 

Probably not easy and the need for multiple vulnerability/misconfiguration but docker can be "escaped". Ex.: Consider a RCE that gives you access to a docker and from there you could possibly escape the container or if the container allows you to have "user" access to a folder, with the above vulnerability you can make it to root.

 

Now my opinion is that regardless the vulnerability the system needs to be fixed. Security is like an onion, if too many layers are missing, the chances of something bad happening is increased.

What we need is the possibility to avail of the latest security patches without waiting for a major/RC release. This topic has been brought up already before and I hope limetech will implement the changes quite fast.

 

Link to comment
  • 2 weeks later...
On 3/8/2022 at 4:24 PM, JonathanM said:

How would this specific exploit work in Unraid? Unlike typical linux installs, ONLY root is allowed console login, so no privilege escalation attack from that vector, right?

 

Since Unraid operates so differently from normal setups, I'm having a hard time picturing how this effects us.

 

We already had the same discussion over a year ago.

Privilege escalation is very bad, and definitely needs to be fixed. Especially with the currently heightened threat levels.

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.