CVE-2022-41974 - Local Escalation to Root in multipath-tools (.7. to pre-.9.2) Exploited with Simple Socket Tricks

In late 2022, security researchers discovered a nasty privilege escalation bug in multipath-tools, a key package used in Linux environments for managing multipath disk setups. This vulnerability, tracked as CVE-2022-41974, allows any local user with write access to certain UNIX domain sockets to bypass normal access controls, tweak multipath configurations, and ultimately become root on affected systems.

This flaw is especially dangerous because it can be exploited alone, or combined with the closely related CVE-2022-41973 for a devastating 1-2 punch. In this post, we’ll lay out in simple terms how this bug works, how it can be exploited, and how you can protect your systems.

Background: What is multipath-tools?

multipath-tools is a suite of utilities to manage multiple physical paths to storage on Linux servers. It's widely used in enterprise setups, handling configurations and I/O safety for disks connected by more than one path. The main service (multipathd) runs as root and controls access via UNIX domain sockets located in /run/multipathd/ (or sometimes /var/run/multipathd/).

The Vulnerability: How Does CVE-2022-41974 Work?

The problem arises from incorrect handling of configuration commands sent to the multipath daemon via its control socket. If a local malicious user has write access to this socket (directly or via another bug, for example via CVE-2022-41973), they can send crafted commands that break normal security controls.

Root Cause:  
When the code handles configuration keywords, and a keyword is supplied more than once, it combines the permission flags using arithmetic addition (+) rather than a bitwise OR (|). This seemingly tiny difference means an attacker can repeat critical keywords to trick the daemon into giving them administrative powers.

Here’s a simplified code snippet (in C, from the real multipathd code), showing the bug

// Incorrect: adds option flags instead of using OR
perm |= cmd_flags[i];
...
// The bug: repeated flags let you escalate!

If cmd_flags is evaluated multiple times for the same admin action (like "del path"), the math stacks up permissions one by one — instead of simply setting a “yes/no” flag. Eventually, you can walk right up to admin-level abilities, as if you were root.

Gain socket access

Either the socket is world-writable because of a misconfiguration, or another vuln (like CVE-2022-41973) lets you touch the socket.

Send a malicious control command

As a normal (unprivileged) user, connect to the daemon’s control socket and submit a crafted command containing repeated keywords. For example:

Privilege escalation

The flawed logic will sum the permission bits and grant you enough rights to delete or manipulate storage mappings — something only root should do.

  In some scenarios (see the Multipathd exploit PoC), you can even overwrite files or run code as root.

Proof of Concept (PoC) snippet

Here’s a minimalist example in Python (for educational purposes only — do not use this on systems you don’t own!) showing how to trigger the bug:

import socket

SOCKET_PATH = '/run/multipathd/multipathd.sock'

payload = b'del path del path del path /dev/sdX\n'

with socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) as s:
    s.connect(SOCKET_PATH)
    s.sendall(payload)
    response = s.recv(4096)
    print(response.decode())

Note: Replace /dev/sdX with an actual device on your system. On vulnerable systems, this command could mess with storage configs or escalate you to root.

Real-World Impact

- Attackers can become root: By exploiting this, an ordinary local user could ultimately run arbitrary code as root.
- System integrity at risk: Storage configurations can be deleted or manipulated, potentially leading to data loss or denial of service.
- Combined exploits: If the socket isn’t already writable by low-privileged users, combine with CVE-2022-41973 to change socket permissions and then run this attack.

Remediation & Recommendations

Patch!  
Upgrade multipath-tools to at least .9.2, where the bug is fixed by using bitwise OR instead of addition.

Check your permissions:  
Ensure only root can write to /run/multipathd/multipathd.sock and restrict group membership to what’s absolutely necessary.

Watch your logs:  
Unusual multipathd control messages or “path deleted” actions from unexpected user accounts are red flags.

References & Further Reading

- NVD: CVE-2022-41974
- GitHub Security Advisory - multipath-tools
- CVE-2022-41974 Proof-of-Concept Exploit
- Jonathan Leitschuh’s research on related vulnerabilities

Conclusion

CVE-2022-41974 is a textbook example of how a small programming slip — using addition instead of bitwise-OR — can turn into a system-wide threat. If you are running multipath-tools on your servers, check your version and patch ASAP, especially if you have untrusted local users. Take care with programmatic permissions and always keep daemons’ sockets locked down tight.

Stay safe and happy hacking!

*This post is original and exclusive. All descriptions are simplified for broad understanding.*

Timeline

Published on: 10/29/2022 19:15:00 UTC
Last modified on: 11/22/2022 14:15:00 UTC