CVE-2022-1664 – This vulnerability in dpkg allows directory tra... (How to Fix)

Q: What is the severity of CVE-2022-1664?

CVE-2022-1664 has a CVSS score of 9.8 (CRITICAL). This vulnerability in dpkg allows directory traversal when extracting specially crafted source packages, enabling attackers to write arbitrary files outside the intended extraction directory. It affects Debian-based systems using vulnerable dpkg versions to process untrusted source packages. The high CVSS score reflects the potential for remote code execution.

📋 TL;DR

This vulnerability in dpkg allows directory traversal when extracting specially crafted source packages, enabling attackers to write arbitrary files outside the intended extraction directory. It affects Debian-based systems using vulnerable dpkg versions to process untrusted source packages. The high CVSS score reflects the potential for remote code execution.

💻 Affected Systems

Products:

dpkg

Versions: dpkg versions before 1.21.8, 1.20.10, 1.19.8, 1.18.26

Operating Systems: Debian-based Linux distributions (Debian, Ubuntu, derivatives)

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when extracting v2 or v3 source packages containing debian.tar from untrusted sources.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, privilege escalation, or data exfiltration.

🟠

Likely Case

Local privilege escalation or arbitrary file overwrite when processing malicious source packages.

🟢

If Mitigated

Limited impact if only trusted source packages are processed or proper sandboxing is in place.

🌐 Internet-Facing: MEDIUM - Requires processing untrusted source packages, which is less common on internet-facing systems.

🏢 Internal Only: HIGH - Build systems, CI/CD pipelines, and development environments frequently process source packages.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Directory traversal is a well-understood attack vector.

Exploitation requires the ability to provide malicious source packages to dpkg for extraction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: dpkg 1.21.8, 1.20.10, 1.19.8, or 1.18.26

Vendor Advisory: https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html

Restart Required: No

Instructions:

1. Update dpkg using your package manager: sudo apt update && sudo apt upgrade dpkg. 2. Verify the installed version meets the patched requirements.

🔧 Temporary Workarounds

Avoid processing untrusted source packages

linux

Only extract source packages from trusted sources and verify checksums.

Use sandboxed extraction

linux

Extract source packages in isolated containers or chroot environments.

🧯 If You Can't Patch

Restrict dpkg source extraction to trusted users only.
Monitor for suspicious file writes outside expected extraction directories.

🔍 How to Verify

Check if Vulnerable:

Check dpkg version with: dpkg --version | head -1

Check Version:

dpkg --version | head -1

Verify Fix Applied:

Confirm version is 1.21.8, 1.20.10, 1.19.8, or 1.18.26 or later.

📡 Detection & Monitoring

Log Indicators:

Failed file writes outside extraction directories
Unusual dpkg source extraction processes

Network Indicators:

Downloads of source packages from untrusted sources

SIEM Query:

Process execution where command contains 'dpkg-source' and arguments include '--extract' or similar.

📊 Metadata

CVE ID: CVE-2022-1664

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: May 26, 2022

Last Updated: November 21, 2024

🔗 References

https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495 Mailing List,Patch,Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5 Mailing List,Patch,Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b Mailing List,Patch,Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be Mailing List,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html Mailing List,Vendor Advisory
https://lists.debian.org/debian-security-announce/2022/msg00115.html Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20221007-0002/ Third Party Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=1f23dddc17f69c9598477098c7fb9936e15fa495 Mailing List,Patch,Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=58814cacee39c4ce9e2cd0e3a3b9b57ad437eff5 Mailing List,Patch,Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7a6c03cb34d4a09f35df2f10779cbf1b70a5200b Mailing List,Patch,Vendor Advisory
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=faa4c92debe45412bfcf8a44f26e827800bb24be Mailing List,Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/05/msg00033.html Mailing List,Vendor Advisory
https://lists.debian.org/debian-security-announce/2022/msg00115.html Mailing List,Vendor Advisory
https://security.netapp.com/advisory/ntap-20221007-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-1664, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Dpkg by Debian

Dpkg by Debian

Dpkg by Debian

Dpkg by Debian

Ontap Select Deploy Administration Utility by Netapp

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Avoid processing untrusted source packages

Use sandboxed extraction

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities