Vulnerability Description
The Dirty Pipe vulnerability in the Linux kernel has been around since version 5.8 and is tracked as CVE-2022-0847. This flaw discovered by Max Kellermann, abuses how the Kernel manages pages in pipes, and allows overwriting data in arbitrary read-only files, which means local attackers can escalate privileges, giving them access they shouldn’t have.
The Branch History Injection (BHI) designated CVE-2022-0002/CVE-2022-0001 vulnerability is a variant of Spectre that allows an unprivileged attacker to manipulate the branch history before transitioning to supervisor or VMX root mode which means local attackers can escalate privileges, giving them access they shouldn’t have.
Vulnerability Details
Publication Date: March 2022
Vulnerability Link: NVD - CVE-2021-4034
Branch History Injection - VUSec
NVD CVSS Score: 8.8
Affected CTERA Products
- CTERA Edge Filer 7.x
Analysis
Both the vulnerabilities are classified by CTERA as having low impact on CTERA Edge Filers, since exploitation requires users with local access and low privileges, while CTERA Edge Filers do not provide any local access to users.
CTERA products other than CTERA Edge Filers are not affected.
Workaround
No workaround is available
Permanent Solution
CTERA will release a new version of CTERA Edge Filer during April 2022, since the vulnerabilities may, in theory, allow escalation of lower severity (presently unknown) attacks.