CVE-2022-0847 "Dirty Pipe" Linux Kernel bug

[ThatDeaf-ITGuy]

Version

Microsoft Windows [Version 10.0.19044.1566]

WSL Version

• [X] WSL 2
• [ ] WSL 1

Kernel Version

5.10.60.1

Distro Version

Ubuntu 20.04

Other Software

No response

Repro Steps

CVE-2022-0847 was first reported to the Linux kernel maintainers by Max Kellermann "max.kellermann@ionos.com" and was public disclosed earlier today (2022-03-07). The TL;DR is that this bug allows extremely low privileged accounts (including Nobody) to escalate privileges up to root, modify read-only files, and otherwise do serious damage if exploited.

I noticed that the WSL2 Kernel appears to be in one of the affected kernel releases, so I was wondering when a new release would roll out to address the bug. For reference, "The vulnerability was fixed in Linux [kernel versions] 5.16.11, 5.15.25 and 5.10.102."

Technical details from Mr. Kellermann's blog: https://dirtypipe.cm4all.com/

I didn't use the security vulnerability reporting form since I'm not a security researcher in any way, shape or form. Just a sysadmin who reads ArsTechnica a lot. Apologies in advance if y'all are already well aware of this issue.

Expected Behavior

N/A

Actual Behavior

N/A

Diagnostic Logs

No response

[Biswa96]

Does gaining root access in WSL2 need a vulnerability? One can run wsl.exe -d <distro> -u root.

[ThatDeaf-ITGuy]

Does gaining root access in WSL2 need a vulnerability? One can run wsl.exe -d <distro> -u root.

Huh, didn't know that was a thing tbh. I'm only a casual user of WSL2 so I'm not too well versed in the ins and outs. IIRC, WSL2 uses Hyper-V to run the kernel in a sandboxed VM (or something to that effect).

My initial concern was that this vulnerability would put the host system at risk. Though, given what you pointed out, that's probably not an issue. If the maintainers think this is a non-issue, I'll close it out.

[Biswa96]

My initial concern was that this vulnerability would put the host system at risk.

Here the host system with Windows 10/11 may not be in risk from this Linux vulnerability. To gain privileged access, the wsl.exe or the distribution launcher has to be run as administrator. But I am not a security expert and maybe wrong about this 😊

[vbrozik]

Does gaining root access in WSL2 need a vulnerability? One can run wsl.exe -d <distro> -u root.

Good note!

I consider having this allowed by default to be another vulnerability. You can probably mitigate this by remounting /mnt/c without executable rights or changing the rights just for /mnt/c/WINDOWS/system32/wsl.exe.

To be better protected against possible malware inside WSL you should take those vulnerabilities very seriously. I am wondering why there is no response from Microsoft for CVE-2022-0847.

[slonopotamus]

I am wondering why there is no response from Microsoft for CVE-2022-0847.

Why they would make any response?

[vbrozik]

Why they would make any response?

I do not understand you... WSL is created and maintained by Microsoft including kernel updates. Microsoft is supposed to fix vulnerabilities in WSL.

BTW I noticed that there was 5.10.102.1 for WSL released few days ago already: https://github.com/microsoft/WSL2-Linux-Kernel/releases/tag/linux-msft-wsl-5.10.102.1

But there is still no release of a binary update package: https://www.catalog.update.microsoft.com/Search.aspx?q=wsl

[nineus]

I think you can build a new wsl2-kernel and replace the old one to solve this problem, that's what I did before.

Use WSL2 Ubuntu20.04:

1.Download required software and libraries : apt install build-essential flex bison dwarves libssl-dev libelf-dev

2.Download WSL2-Linux-Kernel and decompress : 5.10.102.1 WSL release

3.Change directory into it and make : make KCONFIG_CONFIG=Microsoft/config-wsl

4.Then you can find an binary linux kernel in dir 'WSL2-Linux-Kernel-linux-msft-wsl-5.10.102.1/arch/x86/boot' named bzImage

5.Rename bzImage to kernel and shutdown wsl (wsl --shutdown)

6.Replace kernel ,old kernel location: C:\Windows\System32\lxss\tools\kernel ,maybe it has file owner ploblem ,change it and replace to new kernel

Then you can use new kernel.

[yume-chan]

https://github.com/microsoft/WSL/releases/tag/0.56.2

WSL just released a new version with updated kernel (and Dirty Pipe patched)

[adpeyre]

Does anyone know how to install it ?

[Lqp1]

The msixbundle released above is not for X86 apparently. What worked for me is the procedure described by @Nineus (compiling and replacing the kernel manually). I guess it's good enough until the patch lands officially in the update catalog.

Only thing I notice is that kernel is significantly smaller, I'm not sure why, but it does not prevent my WSL2 to start:

19/03/2022  10:43        12 846 976 kernel
23/09/2021  04:59        72 651 888 kernel.copy

[vbrozik]

I noticed that a binary update package 5.10.102.2 was released for x64 and arm64 on 2022-03-25: https://www.catalog.update.microsoft.com/Search.aspx?q=wsl

[martin-mueller-cemas]

Thanks for the heads-up! While for me the Windows update history (under "Other updates") lists "Windows Subsystem for Linux Update - 5.10.102.2", wsl --update (in a cmd.exe shell) shows that 5.10.102.1 is installed.

Nevertheless, I had to restart WSL with wsl --shutdown to switch to the new kernel. The example Dirty Pipe exploit does not work in the new version (as expected).

[benhillis]

As others have noticed, we pushed 5.10.102 which has a fix for this CVE.

[adpeyre]

There is no certificate to download the fix. Is it really safe ?

https://www.catalog.update.microsoft.com/Search.aspx?q=wsl => http://download.windowsupdate.com/d/msdownload/update/software/updt/2022/03/wsl_update_x64_8b248da7042adb19e7c5100712ecb5e509b3ab5f.cab

I can't execute wsl --update due to restrictions in my organization.

[vbrozik]

@adpeyre the CAB archive downloaded from the URL is digitally signed. You can see and check the signature in the Windows Explorer's file properties.