Linux developer Phil Oester has spotted attackers exploiting a Linux kernel zero-day privilege escalation flaw that dates back to 2007, and has raised the alarm.
The vulnerability (CVE-2016-5195) has been dubbed Dirty COW by a community-maintained project that took it upon themselves to raise its visibility by appending a name and logo, despite their dislike of “branded” vulnerabilities.
Why was it named so?
Because, as explained by Red Hat developers, the source of the flaw is a race condition in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.
“Exploitation of this bug does not leave any trace of anything abnormal happening to the logs,” the Dirty COW project noted. Phil Oester spotted the exploit as it was uploaded to one of its webservers.
“For the past few years, I have been capturing all inbound traffic to my webservers for forensic analysis. This practice has proved invaluable on numerous occasions, and I would recommend it to all admins. In this case, I was able to extract the uploaded binary from those captures to analyze its behavior, and escalate to the appropriate Linux kernel maintainers,” he told Ars Technica.
“The vulnerability is easiest exploited with local access to a system such as shell accounts. Less trivially, any web server/application vulnerability which allows the attacker to upload a file to the impacted system and execute it also works,” he added.
A partial exploit has been made available by the project, and a full exploit to security researchers, but you can bet anything on the fact that a full exploit will soon trickle down to potential attackers.
Exploitation of the flaw could allow attackers to achieve root access on vulnerable systems.
Dirty COW has been patched
The flaw has now been patched by Linux kernel maintainers. In fact, this bug was not unknown to them. Linus Torvalds said that he attempted to fix the flaw eleven years ago, but the fix was undone due to other problems. So, the bug is apparently even older than first believed.
Oester says all Linux users need to take this bug very seriously, and patch their systems as soon as possible.
Red Hat, Debian and Ubuntu developers have already pushed out a patch, and others Linux distros that supply the kernel to its users are expected to follow.
According to The Register, the flaw is also present in Android, as it is based on the Linux kernel.
Many embedded devices (routers, Wi-Fi access points, NAS appliances, smart TVs, and so on) are also based on it, and that’s going to be a much bigger problem – many manifacturers are slow and/or lax at pushing out security updates for their products.