Antique Kernel Flaw Opens Door to New Dirty Cow Exploit
Oct 25, 2016 4:08 PM PT
A Linux security vulnerability first discovered more than a decade ago once again poses a threat, Red Hat warned last week, as an exploit that could allow attackers to gain enhanced privileges on affected computers has turned up in the wild.
Users need to take steps to patch their systems to prevent the exploit, known as "Dirty Cow," from granting access to unprivileged attackers.
"This flaw has actually been in the kernel for a better part of a decade -- what's changed isn't the vulnerability itself, but rather the manner in which it's being exploited," said Josh Bressers, a security strategist at Red Hat.
"As attack methods have become more sophisticated, hardware has become faster, and the kernel [has become] more predictable, a bug that was once thought to be impossible to exploit is now possible to exploit," he told LinuxInsider.
Out of the Shadows
Linux security researcher Phil Oester rediscovered the flaw while examining a server that appeared to have been under attack, he told V3.
A "race condition" was found in the way the Linux kernel's memory subsystem handled copy-on-write breakage of private read-only memory mappings, Red Hat explained in last week's security update.
Unprivileged local users could use the flaw to access otherwise read-only memory mappings and increase their privileges on the system, the update states. The issue affects Linux kernel packages as shipped with Red Hat Enterprise Linux 5,6,7 and MRG 2.x.
Shipping versions of Fedora are also affected, and Fedora is aware of the flaw, the warning notes.
Red Hat advised users running affected versions of the kernel to update as soon as patches become available, adding that a system reboot will be required to make sure the kernel update is applied.
A patch for customers running Red Hat Enterprise Linux 7.2 or greater will be available, according to the company. For several other versions of Red Hat Enterprise Linux, an active Extended Update Support subscription will be required to access the patch.
Users who don't have an active EUS subscription will have to contact Red Hat sales representatives, the company said. For those using Red Hat Enterprise Linux 6.2, 6.4 and 6.5, an active Advanced Update Support subscription will be required for access to the patch.
"The major risks are that an attacker exploiting this -- and there has been an identified attack in the wild via HTTP -- would be able to replace known binaries, including the replacement of core system applications, compilers and various publicly exposed systems -- SSH daemons, Web servers, and so on," said Kevin O'Brien, CEO of GreatHorn.
"From a risk perspective, the age, ease of exploit, and reliability of this particular vulnerability is particularly concerning," he told LinuxInsider.
Seeing a CVE of this magnitude, when combined with an in-the-wild implementation, makes this a critical issue for any systems administrator, O'Brien said.
That said, since the code must be executed on a local system and not a network, it's a two-step process for the attacker, noted Red Hat's Bressers.
"Given that most modern IT environments do not allow local untrusted users, it's a serious vulnerability, but one that requires effort on the part of the attacker to exploit," he explained.
If successful, unprivileged attackers would be able to change, remove or copy content that otherwise would be inaccessible.