# [HIGH] "Dirty Pipe" Linux vulnerability and your containerized applications (CVE-2022-0847) **Source:** Snyk **Published:** 2022-03-09 **Article:** https://snyk.io/blog/dirty-pipe-vulnerability-cve-2022-0847-containerized-applications/ ## Threat Profile Snyk Blog In this article Written by Eric Smalling March 9, 2022 0 mins read What is the “Dirty Pipe” vulnerability? (CVE-2022-0847) Recently, CVE-2022-0847 was created detailing a flaw in the Linux kernel that can be exploited allowing any process to modify files regardless of their permission settings or ownership. The vulnerability has been named “Dirty Pipe” by the security community due to its similarity to “Dirty COW”, a privilege escalation vulnerability reported in CVE-2016-5195 , and b… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2022-0847` - **CVE:** `CVE-2016-5195` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Article-specific behavioural hunt — "Dirty Pipe" Linux vulnerability and your containerized applications (CVE-2022-0 `UC_2306_1` · phase: **install** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — "Dirty Pipe" Linux vulnerability and your containerized applications (CVE-2022-0 ``` | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/etc/passwd*") by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ``` **Defender KQL:** ```kql // Article-specific bespoke detection — "Dirty Pipe" Linux vulnerability and your containerized applications (CVE-2022-0 // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/etc/passwd")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2022-0847`, `CVE-2016-5195` ## Why this matters Severity classified as **HIGH** based on: CVE present, 2 use case(s) fired, 2 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.