CVE-2022-41974, CVE-2022-41973, CVE-2022-3328 Exploit Detection: Three Linux Vulnerabilities Chained to Gain Full Root Privileges

Security experts from Qualys’ Threat Research Unit warn of a novel vulnerability  (CVE-2022-3328) in Snapd, a popular software management tool for Linux, that might be exploited for local privilege escalation and arbitrary code execution. The security issue in the spotlight can be chained with older vulnerabilities revealed in multipathd (CVE-2022-41973 & CVE-2022-41974) to escalate privileges to root on Linux systems. 

Detecting CVE-2022-41974, CVE-2022-41973, CVE-2022-3328 Exploitation Attempts

As the exploit chain poses a significant risk to Linux systems, security experts need a reliable source of detection content to identify any attacks against the organizational environment at the earliest stages of its development. The SOC Prime Team has released a set of Sigma rules detecting exploitation attempts of CVE-2022-3328, CVE-2022-41973, and CVE-2022-41974: 

Possible CVE-2022-3328 Exploitation and Post-Exploitation Patterns in Snap-Confine’s (via cmdline)

This rule detects exploitation patterns of race condition in Snap-confine’s must_mkdir_and_open_with_perms() based on security research by Qualys. The detection can be used across 18 SIEM, EDR, and XDR technologies and is aligned with the MITRE ATT&CK® framework addressing the Privilege Escalation tactic with the corresponding Exploitation for Privilege Escalation (T1068) technique.

Possible CVE-2022-41974 and CVE-2022-41973 Exploitation Chain [multipathd] (via auditd)

Possible CVE-2022-41974 and CVE-2022-41973 Exploitation Chain [multipathd] (via file_event)

The rules above detect exploitation patterns of authorization bypass aka symlink attack in multipathd (symlink creation) and are also based on Qualys research. The detections can be applied across 18 SIEM, EDR, and XDR technologies and are aligned with ATT&CK addressing the Privilege Escalation tactic with the corresponding Exploitation for Privilege Escalation (T1068) technique.

Eager to join collective cyber defense forces and earn money while making the world a safer place? Register for our Threat Bounty Program, publish exclusive Sigma rules to the largest threat detection marketplace, hone your Detection Engineering skills, and connect with industry experts while receiving financial benefits for your input.

Hit the Explore Detections button to review the extensive list of Sigma rules covering Linux use cases. Access the detection content for Linux-related threats, accompanied by CTI links, ATT&CK references, and threat hunting ideas.

Explore Detections

Linux Vulnerabilities Exploit Chain: High-Impact Attack Analysis

Throughout the period of 2021-2022, there has been a significant rise in detection content consumption for Linux threats, which points to a pressing need for endpoint protection against emerging cyber attacks affecting Linux-based environments.

The Qualys Research Team earlier uncovered two vulnerabilities in Linux multipathd dubbed “Leeloo Multipath” that can lead to an authorization bypass and symlink attacks. The multipathd daemon is a utility designed to check for failed paths running as a root in the default installation of Linux OS like the Ubuntu Server.

The above-mentioned flaws can be chained together with a newly discovered third vulnerability, which can involve much higher cybersecurity risks. The successful exploitation of all three vulnerabilities can enable attackers to gain full root privileges on compromised Linux systems. 

The earlier discovered flaws are tracked as CVE-2022-41974 and CVE-2022-41973, with the former leading to authorization bypass (CVSS score 7.8) and the lattes potentially causing a symlink attack (CVSS score 7.0). Both vulnerabilities, no matter how they are exploited — alone or chained together — can lead to local privilege escalation to root. 

The novel security bug tracked as CVE-2022-3328 affects the Snap-confine function on Linux OS, which is applied by Snapd to build the execution environment for Snap apps. Currently, there are no mitigations available for CVE-2022-3328. Although the vulnerability cannot be weaponized remotely, the risks of its exploitation attempts are increasing, provided that threat actors log in as unprivileged users allowing them to obtain root privileges. This security flaw was introduced in February 2022 by the patch for another race condition Snapd vulnerability tracked as CVE-2021-44731. Cyber defenders strongly recommend applying the patch for this vulnerability to proactively defend against potential intrusions.   

Easy-to-exploit vulnerabilities in popular software applications are exposing thousands of global companies to reputational risks, therefore proactive detection of vulnerability exploitation is holding one of the top positions among SOC content priorities. Reach 700 detection algorithms for current and existing CVEs leveraging collective cyber defense — get 120+ Sigma rules for free at https://socprime.com/ or the entire detection stack with On Demand at https://my.socprime.com/pricing/. Grab our Cyber Monday deal for On Demand to gain up to 200 more premium Sigma rules of your choice by the end of 2022.