CVE-2022-3787 – CVE-2022-3787 is a local privilege escalation v... (How to Fix)

Q: What is the severity of CVE-2022-3787?

CVE-2022-3787 has a CVSS score of 7.8 (HIGH). CVE-2022-3787 is a local privilege escalation vulnerability in device-mapper-multipath where attackers can bypass access controls by writing to UNIX domain sockets. This allows local users to gain root privileges, often exploited alongside CVE-2022-41973. Systems using device-mapper-multipath with vulnerable versions are affected.

📋 TL;DR

CVE-2022-3787 is a local privilege escalation vulnerability in device-mapper-multipath where attackers can bypass access controls by writing to UNIX domain sockets. This allows local users to gain root privileges, often exploited alongside CVE-2022-41973. Systems using device-mapper-multipath with vulnerable versions are affected.

💻 Affected Systems

Products:

device-mapper-multipath

Versions: Versions before the fix (specific versions vary by distribution)

Operating Systems: Linux distributions using device-mapper-multipath

Default Config Vulnerable: ⚠️ Yes

Notes: Requires local user access and ability to write to UNIX domain sockets. Often exploited with CVE-2022-41973.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root access to the system, enabling complete system compromise, data theft, and persistence.

🟠

Likely Case

Local users with write access to UNIX sockets escalate to root privileges, compromising system integrity.

🟢

If Mitigated

With proper access controls and patching, impact is limited to denial of service at most.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local access, not remotely exploitable.

🏢 Internal Only: HIGH - Internal users with local access can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local access and write permissions to UNIX sockets. Often chained with CVE-2022-41973.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by distribution - check vendor advisories

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=2138959

Restart Required: Yes

Instructions:

1. Check your distribution's security advisory. 2. Update device-mapper-multipath package. 3. Restart affected services or reboot system.

🔧 Temporary Workarounds

Restrict socket permissions

linux

Limit write access to UNIX domain sockets used by multipath

chmod 660 /var/run/multipathd.sock
chown root:multipath /var/run/multipathd.sock

🧯 If You Can't Patch

Implement strict access controls to limit local user privileges
Monitor for suspicious activity involving multipathd or socket writes

🔍 How to Verify

Check if Vulnerable:

Check device-mapper-multipath version against vendor advisories

Check Version:

rpm -q device-mapper-multipath  # For RPM systems
multipathd version  # Check running version

Verify Fix Applied:

Verify updated package version and test multipath functionality

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to /var/run/multipathd.sock
Unexpected multipath configuration changes
Privilege escalation attempts

Network Indicators:

None - local exploit only

SIEM Query:

process:multipathd AND (file_access:/var/run/multipathd.sock OR privilege_escalation)

📊 Metadata

CVE ID: CVE-2022-3787

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-285

Published: March 29, 2023

Last Updated: February 18, 2025

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=2138959 Issue Tracking,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2138959 Issue Tracking,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-3787, you might also want to check these: