Attackers exploit ancient 'Dirty COW' kernel flaw

Administrators are being urged to patch against a critical flaw under active exploit which affects all existing Linux kernels and allows unprivileged local users to elevate their rights.

The "Dirty COW" flaw has been around for over a decade. Copy-on-write (COW) optimises performance by letting code that calls on resources avoid duplication by creating a pointer for reuse.

But a bug in the Linux kernel's memory subsystem code can be exploited by attackers without leaving a trace. With a local system account, attackers can bypass permission settings and modify binaries stored on disk.

Security researcher Phil Oester, who found and reported the flaw, told V3 the vulnerability was being exploited in the wild.

Oester said he found the exploit by analysing packet captures of incoming HTTP web traffic. He said the packet captures indicate that the flaw has been exploited since 2007 when it first appeared in the Linux 2.6.22 kernel.

Red Hat published an advisory for the vulnerability, which has been given the common vulnerabilities and exposures tag CVE-2016-5195. The Debian distribution and Ubuntu Linux have also issued advisories, as has Fedora.

A patch has been committed to the Linux kernel source tree.

Linux creator Linus Torvalds revealed he had tried to fix the problem a long time ago but hadn't got it quite right.

"This is an ancient bug that was actually attempted to be fixed once (badly) by me 11 years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug")", Torvalds wrote.

Red Hat engineer Petr Matousek posted mitigation measures against the flaw. He said the single in-the-wild exploit he was aware of doesn't work on RH Enterprise Linux 5 and 6 out of the box.

The exploit tries to write to the /proc/self/mem file used by the kernel, which is not writeable on either versions of those Linux distributions, Matousek said.