Linux ‘Dirty Pipe’ Vulnerability Audit

Find Linux Devices Vulnerable to CVE-2022-0847

CVE-2022-0847, also known as 'Dirty Pipe' is a vulnerability that can lead to local users getting root privileges. By allowing local users to inject and overwrite data in read-only files, unprivileged processes can inject code into root processes. Similar vulnerabilities have been abused in the past by malware and other attackers, so patching is recommended as soon as possible. Any Linux not running on versions 5.16.11, 5.15.25, 5.10.102, or higher will require patching.

 

The report below provides a list of Linux devices that do not have one of the above-mentioned kernel releases or higher.

Linux 'Dirty Pipe' Vulnerability Query

Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tblLinuxSystem.osrelease,
tblLinuxSystem.kernelrelease,
S1.KernelVersion As [Kernel Version Cleaned],
Case
When Len(tblLinuxSystem.kernelrelease) -
Len(Replace(tblLinuxSystem.kernelrelease, '.', '')) < 2 Then ''
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 10 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 102 Then 'Safe'
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 15 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 25 Then 'Safe'
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 16 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 11 Then 'Safe'
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 4 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 0 Then 'Safe'
Else 'Vulnerable'
End As [Safe/Vulnerable],
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried,
Case
When Len(tblLinuxSystem.kernelrelease) -
Len(Replace(tblLinuxSystem.kernelrelease, '.', '')) < 2 Then ''
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 10 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 102 Then '#d4f4be'
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 15 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 25 Then '#d4f4be'
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 16 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 11 Then '#d4f4be'
When IsNumeric(ParseName(S1.KernelVersion, 3)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 2)) = 1 And
IsNumeric(ParseName(S1.KernelVersion, 1)) = 1 And
Cast(ParseName(S1.KernelVersion, 3) As bigint) = 5 And
Cast(ParseName(S1.KernelVersion, 2) As bigint) = 4 And
Cast(ParseName(S1.KernelVersion, 1) As bigint) >= 0 Then '#d4f4be'
Else '#ffadad'
End As backgroundcolor
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
Inner Join tblLinuxSystem On tblLinuxSystem.AssetID = tblAssets.AssetID
Left Join (Select tblLinuxSystem.AssetID,
Case
When tblLinuxSystem.kernelrelease Like '%-%' Then
Left(tblLinuxSystem.kernelrelease, CharIndex('-',
tblLinuxSystem.kernelrelease) - 1)
End As KernelVersion
From tblLinuxSystem) As S1 On S1.AssetID = tblAssets.AssetID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblState.Statename = 'Active'
Order By tblAssets.Domain,
tblAssets.AssetName

Audit and Take Action in 3 Easy Steps

1. Download & Install Lansweeper

3. Run the Audit & Take Action

Download Lansweeper to Run this Audit