CVE-2022-41974 Overview
CVE-2022-41974 is a local privilege escalation vulnerability in multipath-tools versions 0.7.0 through 0.9.x before 0.9.2. This vulnerability allows local users to obtain root access by exploiting improper access control mechanisms in the multipathd daemon. The flaw can be exploited alone or in conjunction with CVE-2022-41973 to achieve full system compromise.
Local users with the ability to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. The root cause stems from a programming error where arithmetic ADD is used instead of bitwise OR when processing repeated keywords, leading to improper permission handling that attackers can leverage for local privilege escalation to root.
Critical Impact
Local attackers can escalate privileges to root by bypassing access controls in multipathd, potentially leading to complete system compromise on affected Linux systems.
Affected Products
- opensvc multipath-tools (versions 0.7.0 through 0.9.x before 0.9.2)
- fedoraproject fedora (version 36)
- debian debian_linux (versions 10.0 and 11.0)
Discovery Timeline
- 2022-10-29 - CVE-2022-41974 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-41974
Vulnerability Analysis
The vulnerability exists in the multipath-tools daemon (multipathd), which is responsible for managing multipath device mappings in Linux systems. The multipathd daemon uses UNIX domain sockets for inter-process communication and implements access control checks to restrict which users can send commands to the daemon.
The core issue lies in how the daemon processes command keywords. When parsing configuration or command keywords, the code uses arithmetic addition (+) instead of bitwise OR (|) when combining permission flags. This seemingly minor programming error has significant security implications.
An attacker can exploit this by repeating specific keywords in their input. Each repetition causes the permission flags to be added numerically rather than being combined with OR operations. By carefully crafting input with repeated keywords, an attacker can cause integer overflow or manipulation of the permission bits in a way that bypasses the intended access control checks.
This vulnerability is particularly dangerous because multipathd typically runs with root privileges to manage block devices. Successfully bypassing the access controls allows an unprivileged local user to send privileged commands to the daemon, ultimately achieving arbitrary code execution as root.
Root Cause
The vulnerability originates from improper use of arithmetic operators for permission flag handling. The code incorrectly uses arithmetic ADD operations instead of bitwise OR when combining keyword flags. This allows attackers to manipulate permission values by repeating keywords, causing the accumulated value to exceed expected bounds or wrap around, effectively bypassing authorization checks.
The specific CWE classification is CWE-269 (Improper Privilege Management), reflecting the fundamental failure to properly restrict privileged operations to authorized users.
Attack Vector
The attack requires local access to the system with the ability to write to UNIX domain sockets used by multipathd. An attacker proceeds by:
- Identifying the UNIX domain socket used by multipathd (typically /run/multipathd.sock)
- Crafting a malicious payload that repeats specific keywords to exploit the arithmetic ADD bug
- Sending the crafted payload to the socket to bypass access control checks
- Executing privileged commands through the now-compromised daemon
- Achieving root-level access to the system
The vulnerability requires no user interaction and can be exploited by any local user with socket write access. When combined with CVE-2022-41973 (a symlink attack vulnerability), the exploitation chain becomes even more reliable.
For detailed technical analysis of the exploitation technique, refer to the Qualys Analysis on Leeloo Multipath.
Detection Methods for CVE-2022-41974
Indicators of Compromise
- Unexpected connections to the multipathd UNIX domain socket from non-root processes
- Suspicious process spawning with root privileges following multipathd socket activity
- Anomalous multipath configuration changes not initiated by system administrators
- Audit logs showing repeated keyword patterns in multipathd communications
Detection Strategies
- Monitor UNIX domain socket activity to /run/multipathd.sock for connections from unprivileged users
- Implement auditd rules to track socket operations on multipathd endpoints using auditctl -a always,exit -F arch=b64 -S connect -F path=/run/multipathd.sock
- Deploy SentinelOne Singularity to detect privilege escalation attempts and unauthorized root process creation
- Review system logs for unusual multipathd activity patterns or error messages indicating parsing anomalies
Monitoring Recommendations
- Enable verbose logging for multipathd to capture command parsing events and socket connections
- Configure SIEM alerts for privilege escalation indicators, particularly processes transitioning from low to high privilege levels
- Implement file integrity monitoring on multipath configuration files to detect unauthorized modifications
- Use SentinelOne's behavioral AI engine to detect anomalous system call patterns associated with local privilege escalation
How to Mitigate CVE-2022-41974
Immediate Actions Required
- Update multipath-tools to version 0.9.2 or later immediately on all affected systems
- Restrict access to the multipathd UNIX domain socket using filesystem permissions where possible
- Audit systems for signs of prior exploitation, particularly unauthorized root access or configuration changes
- Consider temporarily disabling multipathd on non-critical systems until patches can be applied
Patch Information
The vulnerability has been addressed in multipath-tools version 0.9.2. The patch corrects the arithmetic operation bug by replacing ADD with bitwise OR when processing keyword flags, ensuring proper permission bit handling.
Security updates are available from multiple sources:
- GitHub Release for Multipath Tools 0.9.2 - Official upstream fix
- Debian Security Advisory DSA-5366 - Debian stable updates
- Debian LTS Announcement - Long-term support updates
- Fedora Package Announcement - Fedora updates
- Gentoo GLSA 202311-06 - Gentoo advisory
Workarounds
- Restrict socket permissions on /run/multipathd.sock to allow access only from trusted root processes
- Implement mandatory access control (SELinux/AppArmor) policies to limit which processes can communicate with multipathd
- Temporarily disable multipathd service on systems where multipath storage is not required using systemctl stop multipathd && systemctl disable multipathd
- Deploy network segmentation to limit the impact of potential system compromise
# Verify current multipath-tools version
multipathd -k"show version"
# Check for vulnerable versions and update on Debian/Ubuntu
apt update && apt install --only-upgrade multipath-tools
# Check for vulnerable versions and update on RHEL/CentOS/Fedora
dnf update device-mapper-multipath
# Restrict socket permissions as temporary mitigation
chmod 600 /run/multipathd.sock
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
