Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

The Linux process and session model as part of security alerting and monitoring

The Linux process model, available within Elastic, allows users to write very targeted alerting rules and gain deeper insight into exactly what is happening on their Linux servers and desktops. In this blog, we will provide background on the Linux process model, a key aspect of how Linux workloads are represented.

Linux 'Dirty Pipe' vulnerability: Snyk explains the risk and what you can do to protect your systems

Last week, a critical vulnerability was discovered in Linux. Developer-first security company, Snyk, warns Linux users of the flaw in the Linux kernel that can be exploited by attackers allowing any process to modify files regardless of their permission settings or ownership.

Detecting and responding to Dirty Pipe with Elastic

In recent days, several security vendors have published blogs about the Linux-based exploitation (CVE-2022-0847), also known as Dirty Pipe. The Elastic Security Research team is sharing the first detailed research to help organizations find and alert on the exploitation with Elastic Security products. We are releasing this research so that users can defend themselves, since very little information has been shared on the actual detection of exploitation attempts.

The Dirty Pipe vulnerability: Overview, detection, and remediation

The situation with Dirty Pipe is rapidly evolving. We will update the information in this blog as it is released publicly. On March 7, 2022, Max Kellermann publicly disclosed a vulnerability in the Linux kernel, later named Dirty Pipe, which allows underprivileged processes to write to arbitrary readable files, leading to privilege escalation. This vulnerability affects kernel versions starting from 5.8.

"Dirty Pipe" Linux vulnerability and your containerized applications (CVE-2022-0847)

Recently, CVE-2022-0847 was created detailing a flaw in the Linux kernel that can be exploited allowing any process to modify files regardless of their permission settings or ownership. The vulnerability has been named “Dirty Pipe” by the security community due to its similarity to “Dirty COW”, a privilege escalation vulnerability reported in CVE-2016-5195, and because the flaw exists in the kernel pipeline implementation.

CVE-2022-0847: "Dirty Pipe" Linux Local Privilege Escalation

Right on the heels of CVE-2022-4092, another local privilege escalation flaw in the Linux Kernel was disclosed on Monday, nicknamed “Dirty Pipe” by the discoverer. MITRE has designated this as CVE-2022-0847. Similar to the “Dirty COW” exploit (CVE-2016-5195), this flaw abuses how the Kernel manages pages in pipes and impacts the latest versions of Linux.

Dirty Pipe: Linux Kernel Vulnerability Could Lead to Root Privileges - CVE-2022-0847

In April 2021, CVE-2022-0847 was discovered by security researcher Max Kellermann; it took another few months for him to figure out what was happening. The flaw has already been patched in the Linux kernel and the Android kernel. Affected Linux distributions are in the process of pushing out security updates with the patch. Due to the similarities of the Dirty Cow flaw, CVE-2016-5195; has been named Dirty Pipe.

Linux Persistence and Privilege Escalation: Threat Research January 2022 Release

In this January 2022 release, The Splunk Threat Research (STRT) team focused on the recently released Sysmon for Linux technology addition to Splunk. This new add-on opens the door for new ways of monitoring, creating detections, and defending against Linux systems threats. Linux is the most commonly used operating system across the world with approximately 67% of the internet.

Hunting pwnkit Local Privilege Escalation in Linux (CVE-2021-4034)

In November 2021, a vulnerability was discovered in a ubiquitous Linux module named Polkit. Developed by Red Hat, Polkit facilitates the communication between privileged and unprivileged processes on Linux endpoints. Due to a flaw in a component of Polkit — pkexec — a local privilege escalation vulnerability exists that, when exploited, will allow a standard user to elevate to root.