A vulnerability has been discovered in the Linux kernel which could give untrusted users unfettered root access. This vulnerability has been present in the Linux kernel for nine years but has only just been discovered. The vulnerability allows for privilege escalation that can be exploited easily and reliably. The fact that this flaw exists in nearly every version of Linux from at least the last nine years means this vulnerability should be taken seriously and patched as soon as distribution specific patches are available.
What it is?
As their names suggest, privilege escalation vulnerabilities allow attackers with only limited access to target a computer and gain much greater access rights, and therefore control over the system. The vulnerability itself, known as a race condition, involves the way Linux memory handles a duplication technique called copy-onwrite. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available below. Using the acronym derived from ‘copy-onwrite’, some researchers have dubbed the vulnerability ‘Dirty COW’.
Which products are affected?
The vulnerability affects most versions of Linux released in the last nine years, which given the ubiquity of the open source operating system, means a large number of unpatched systems are potentially exposed to the exploit. Researchers are already claiming to see the Dirty COW vulnerability being exploited out in the wild.
What could happen if the vulnerabilities were exploited?
These exploits could be used against Web hosting providers that provide shell access, such that one customer could attack other customers or service administrators.
Privilege escalation exploits can also be combined with other attacks to target other vulnerabilities. A SQL injection weakness in a website, for instance, often allows attackers to run malicious code only as an untrusted user. Combined with an escalation exploit an attacker could achieve root access.
How can I find out if I am at risk?
If you are using a Linux distribution released in the last nine years then this system is likely to be vulnerable if it hasn’t been recently patched.
How can I tell if this exploit has been used against me?
It would be very difficult to determine if you have been the victim of this type of attack since exploitation of this bug does not leave any trace of anything abnormal in the logs. Further activity or attacks following post-privilege exploitation itself could leave more evidence of exploitation.
What can I do?
The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important". Other distributions have released patches and these should be tested and applied as soon as possible.
Where can I find more information?
A full breakdown of the vulnerability is available on the dirtycow.ninja website and via Red Hat’s blog. You can also refer to the full Bugzilla report.