A local privilege escalation vulnerability, CVE-2022-3787, was discovered in *device-mapper-multipath*, a tool widely used on Linux systems to manage multipath I/O for block devices. Simply put, this bug lets a local attacker become root by abusing how multipath processes configuration input—alone or alongside CVE-2022-41973.
Here, I break down this bug in plain language, show how it happens, and walk through an example exploit. Be sure to read this even if you’re not a kernel guru—it’s easier than you think.
What Is Device-Mapper-Multipath?
Multipath is a service for high-availability storage. It sits between the operating system and your disk hardware, making storage more resilient. It takes config data from users (like what disks to watch, how to balance I/O), including over local UNIX-domain sockets.
The Bug Explained
Multipath parses input with "keywords" that control things like user or root privileges. But the code wrongly uses an arithmetic ADD instead of a bitwise OR when handling repeated keywords.
Expected: If a keyword is set more than once, its associated flag should be set once with an OR (::|=::), so repeats don’t matter.
Vulnerable: They instead use ADD (::+=::), so repeated keywords stack up and cause unexpected behavior. This logic error lets users bypass access control checks.
Below is a simplified look at the problematic logic
int flags = ;
for (i = ; i < n_keywords; i++) {
if (keyword[i] == "ALLOW_ROOT") {
flags += ALLOW_ROOT; // <- Should use |= instead of +=
}
}
If ALLOW_ROOT = 1, then passing the keyword twice makes flags = 2, which may not be checked (since code expects a binary mask).
In real code [see patch][1]
- *out |= matching_keyword->flag;
+ *out += matching_keyword->flag;
PATCHED to
+ *out |= matching_keyword->flag;
Links to Original References
- Red Hat Security Advisory
- upstream patch
- CVE details page
Exploiting CVE-2022-3787 – Example
Let’s say you have a low-privileged shell on a target with multipath running and access to its UNIX socket.
Step 1: Find the Socket
Sockets usually live under /run/multipathd.sock or /var/run/multipathd/multipathd.sock.
Step 2: Craft Payload
Multipath listens for config commands, separated by space or newline. If you send a config line with a privileged keyword repeated, you can trick it into turning on root-level access in the next operation it does *on your behalf*.
For demonstration, here's a Python snippet
import socket
sock_path = '/run/multipathd.sock' # or correct path
# Forge the request, repeating the keyword intentionally
payload = b'add map ALLOW_ROOT ALLOW_ROOT\n'
with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as s:
s.connect(sock_path)
s.sendall(payload)
resp = s.recv(4096)
print(resp.decode())
Step 3: Profit
If successful—and the system's access control code is still broken—multipathd processes your config as if you are root.
Combining this with CVE-2022-41973, you can potentially overwrite multipath configuration files or escalate privileges even further.
Simple mistake, big consequences
Admins: Patch ASAP. Major distributions have already released updates. If you can't patch, restrict access to multipathd's sockets, or temporarily disable the service if possible.
Closing
The CVE-2022-3787 bug reminds us of the power of "simple" code mistakes, like confusing += and |= on privilege flags. Always use the right operator for your logic, especially in security checks!
Stay updated, and never trust input—especially if root access is on the line.
References
- Red Hat Security Advisory
- Multipath tools upstream patch
- NVD CVE-2022-3787 Details
- CVE-2022-41973 Details
Stay safe—patch those boxes!
*[Exclusive write-up for educational, defensive purposes. Do not use for unauthorized intrusion.]*
[1]: https://github.com/opensvc/multipath-tools/commit/5b995dfadc74e2e68bfc4549db3e84968fa66d2
Timeline
Published on: 03/29/2023 21:15:00 UTC
Last modified on: 04/06/2023 19:25:00 UTC