In modern world, user security is a crucial factor when it comes to deciding on a service, technology or an operating system. This is precisely why various companies go the distance to convince potential customers that they provide the most secure platform. The venerable open-source operating system, Linux, has often been under the scanner for vulnerabilities, and now a security researcher has discovered a nine-year old flaw is seeing active exploits in the wild. The local privilege escalation vulnerability is a kernel flaw can give any user write access that could lead to complete root access.
Phil Oester, the Linux security researcher who initially discovered the flaw (CVE-2016-5195), told V3 that organisations and individuals have been asked to patch the Linux servers in order to avoid this bug, which has been dubbed as ‘Dirty COW’, an acronym for the duplication technique called copy-on-write.
“The exploit in the wild is trivial to execute, never fails and has probably been around for years – the version I obtained was compiled with gcc 4.8,” Oester was quoted as saying in the report. In an email to Ars Technica, he added, “Any user can become root in < 5 seconds in my testing, very reliably. Scary stuff… The vulnerability is easiest exploited with local access to a system such as shell accounts. Less trivially, any web server/application vulnerability which allows the attacker to upload a file to the impacted system and execute it also works.”
The bug was first patched 11 years ago, admittedly ‘badly’, by Linus Torvalds himself. But the fox was later undone in another code commit, Torvalds explains in his notes for the latest patch to the Linux kernel. Oester estimates the bug has existed since 2007, and adds that the flaw is currently being exploited maliciously – something he discovered with “rolling packet captures”.
“As to who is being targeted, anyone running Linux on a web facing server is vulnerable,” Oester adds. Ars Technica points out flaw is in section of the Linux kernel that’s part of “virtually every distribution of the open-source OS released for almost a decade.” Distributors are now releases patches for their versions of Linux.
“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged, local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system,” Red Hat said in a note regarding the kernel flaw.
Even though the attack complexity is a problem, because they can target different layers, Oester suggested that an antivirus software can be programmed to detect – but not block – an attack. As per the dedicated page for this flaw, exploitation of this bug doesn’t leave any traces behind.