Dirty Pipe and the Importance of Application Infrastructure Protection

Chris Ford Thumbnail
Chris Ford
Published March 23, 2022

The start of this year has seen a handful of infrastructure-level vulnerabilities impacting cloud-native organizations, such as Log4j and Pwnkit. Continuing that trend is Dirty Pipe, a vulnerability that takes place in the Linux kernel. Dirty Pipe allows for overwriting data in arbitrary read-only files, which can lead to privilege escalation by injecting code into root processes.

Given that bad actors can leverage Dirty Pipe to cause damage from the infrastructure level, this can present a problem for a lot of enterprises. But with a comprehensive view of the full environment, vulnerabilities like these can be properly managed as they emerge.

The Problem with Defending Against Dirty Pipe

Many organizations that are undertaking digital transformation efforts are focused on “modernizing” their key business applications, according to F5’s State of Application Strategy Report. We’re seeing our customers increasingly investing in microservices-based infrastructure to run these applications, because they deliver strong benefits like greater agility and pace of innovation.

Consistent with this push to modernize applications, we’re also seeing more of a need for application protection. Last month, F5 addressed this with the release of the F5 Distributed Cloud WAAP, giving customers a host of tools to protect at the application layer like Bot Defense or Advanced WAF. This solution gives our customers the ability to block attacks from impacting the organization by accessing key business applications.

The trouble with vulnerabilities like Dirty Pipe (and other recent exploits such as Pwnkit or Log4j) is that simply blocking bad actors from accessing the application layer using tools like Distributed Cloud WAAP isn’t enough when the targeted attack exposes weaknesses at the infrastructure level. Applications are only as secure as the cloud-native infrastructure they run on, so to defend against an exploit like Dirty Pipe, customers need to have protection for the infrastructure itself. With the acquisition of Threat Stack, F5 is ideally positioned to offer this capability as well.

Threat Stack monitors all layers of the cloud-native infrastructure stack—from the cloud management console, hosts, container, and orchestration—for behaviors that indicate attackers have gained access to the infrastructure. Threat Stack then provides the necessary observability for customers to proactively and quickly take targeted action to remediate threats to this layer. Combined with F5, customers can secure their modernized applications with a comprehensive view of threats to both the application and the infrastructure levels.

How Threat Stack Helps with Dirty Pipe

For Dirty Pipe specifically, Threat Stack customers immediately benefited from Oversight, Threat Stack’s 24/7/365 Security Operations Center (SOC) monitoring and expertise. Much like with Log4j and Pwnkit, the team began looking across the entire customer base for indications of Dirty Pipe to determine how we could best support our customers.

After executing threat hunting and researching expert third-party sources, we determined that much like with Log4j, Threat Stack detects post-exploit activity specific to this vulnerability. Threat Stack’s out-of-the-box rules are set to observe and alert on any indicators of compromise that show activity of Dirty Pipe within a customer’s environment.

We’re continuing to track how Dirty Pipe might impact our customers, much like we do for Log4j, Pwnkit, and others. But the larger story here is that attacks can happen uniquely at the infrastructure level, and to keep modernized applications secure, you need to have a view of those attacks. At Threat Stack and F5, we’re committed to doing just that.