Serious Dirty Cow Linux Vulnerability Under Attack

A privilege escalation vulnerability, nicknamed Dirty Cow and present in Linux since 2007, has been used in public attacks against web-facing Linux servers.

A nine-year-old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw, nicknamed Dirty Cow because it lives in the copy-on-write (COW) feature in Linux, is worrisome because it can give a local attacker root privileges.

While the Linux kernel was patched on Wednesday, the major distributions are preparing patches. Red Hat, for example, told Threatpost that it has a temporary mitigation available through the kpatch dynamic kernel patching service that customers can receive through their support contact.

Dirty Cow is a privilege escalation vulnerability in copy-on-write, CVE-2016-5195. A race condition exists that allows local users to gain write-access to read-only memory and elevate their privileges to root.

Exploits were discovered recently by researcher Phil Oester, who published an informational website on the bug that includes links to details on the flaw and a proof-of-concept exploit. Oester said the bug has been in the kernel since version 2.6.22, released in 2007.

“This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set,” Oester said on his website.

Red Hat Security Strategist Josh Bressers said the vulnerability is serious but since it is not remotely exploitable, it’s less critical than Heartbleed and other Internet-wide bugs admins have dealt with in the last two-plus years.

“It’s not on-fire bad like some of the other bugs that have names,” Bressers said. “An attacker has to have broken in already and then exercise the flaw to gain root. It’s serious, but much less serious because you essentially need two exploits versus just one.”

Copy-on-write is a feature used in programming across platforms that manages resources in memory. Multiple processes may share that same page until a user needs to write to it, which is known as marking the page dirty, Bressers said.

“The problem comes down to the fact that there was a logic error in the Linux kernel that said you could exercise a race condition so that before the kernel separates pages that are marked dirty, it would let you write to the original page,” Bressers said. “At the same time, another part of the process is writing to it. It allows you to change a file on the disk you shouldn’t be able to change.”

Bressers said that attackers would also be limited in virtual machines and containers. For example, they would not be able to escape a virtual machine and attack the host server.

“Current exploits don’t work in containers given the way they work,” Bressers said. “If it could be exploited in the container, the containment technology will keep you in the container. You need something else to get out. So it’s clear, newer technology is useful as a mitigation in this case.”

Suggested articles