CVE-2022-3787 in device-mapper-multipath
Summary
by MITRE • 03/30/2023
A vulnerability was found in the device-mapper-multipath. The device-mapper-multipath allows local users to obtain root access, exploited alone or in conjunction with CVE-2022-41973. Local users that are able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This issue occurs because an attacker can repeat a keyword, which is mishandled when arithmetic ADD is used instead of bitwise OR. This could lead to local privilege escalation to root.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/20/2025
The vulnerability identified as CVE-2022-3787 resides within the device-mapper-multipath component of Linux systems, representing a critical local privilege escalation flaw that can be exploited by unprivileged users to gain root access. This vulnerability specifically affects systems utilizing multipath device management where local users possess the ability to write to UNIX domain sockets. The flaw stems from improper handling of keyword repetition within the multipath configuration processing logic, creating a condition where arithmetic ADD operations are incorrectly employed instead of bitwise OR operations during keyword processing. This misconfiguration allows attackers to manipulate the multipath setup in ways that bypass existing access controls and authorization mechanisms.
The technical exploitation of CVE-2022-3787 leverages the fundamental design flaw in how the device-mapper-multipath handles keyword repetition during configuration parsing. When an attacker crafts malicious input containing repeated keywords, the system processes these inputs through arithmetic ADD operations rather than the expected bitwise OR operations. This operational error creates a vulnerability in the access control enforcement mechanism, allowing unauthorized modifications to the multipath configuration that can subsequently be leveraged to escalate privileges. The vulnerability is particularly dangerous because it can be exploited independently or in conjunction with CVE-2022-41973, creating a more comprehensive attack vector that can bypass multiple security layers. The flaw manifests when the multipath daemon processes configuration data through UNIX domain sockets, where local users with write permissions can inject malicious payloads that trigger the improper arithmetic handling.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it represents a fundamental breakdown in the security model of multipath device management systems. Attackers can exploit this weakness to manipulate the underlying storage configuration, potentially redirecting I/O operations to malicious targets or disabling critical storage paths. The vulnerability affects systems where device-mapper-multipath is actively used for storage multipathing, which is common in enterprise environments with high availability storage configurations. When combined with CVE-2022-41973, the attack surface expands significantly, as the combined exploitation can provide attackers with complete control over the storage subsystem and potentially enable further lateral movement within the network. This vulnerability is classified under CWE-191 as an Integer Underflow or Wraparound, and aligns with ATT&CK techniques related to privilege escalation through configuration flaws and access control bypass.
Mitigation strategies for CVE-2022-3787 require immediate patching of the device-mapper-multipath package through official distribution channels, as vendors have released security updates addressing the arithmetic operation handling flaw. System administrators should also implement additional controls such as restricting write permissions to UNIX domain sockets used by multipath components, monitoring for unauthorized configuration changes, and implementing proper access controls for multipath configuration files. The vulnerability demonstrates the importance of proper input validation and the critical nature of arithmetic operation selection in security-sensitive code paths. Organizations should conduct thorough security assessments of their multipath configurations and ensure that only authorized users have the ability to write to relevant domain sockets. Additionally, implementing network segmentation and monitoring for unusual multipath configuration changes can help detect potential exploitation attempts and provide early warning of compromise.