Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel
A nine year old Linux vulnerability that affects most of the major distributions has been recently used in public attacks. The flaw nicknamed Dirty Cow because it lives in the copy-on-write (COW) feature in Linux, is worrisome because it can give a local attacker root privileges. While the Linux kernel was patched on Wednesday, the major distributions are preparing patches. Red Hat, for example, told Threatpost that it has a temporary mitigation available through the kpatch dynamic kernel patching service that customers can receive through their support contact.
Dirty Cow is a privilege escalation vulnerability in copy-on-write, CVE-2016-5195. A race condition exists that allows local users to gain write access to read only memory and elevate their privileges to root. Exploits were discovered recently by researcher Phil Oester, who published an informational website on the bug that includes links to details on the flaw and a proof of concept exploit. Oester said the bug has been in the kernel since version 2.6.22, released in 2007.
“This
flaw allows an attacker with a local system account to modify on disk
binaries, bypassing the standard permission mechanisms that would
prevent modification without an appropriate permission set” Oester said
on his website.
Red
Hat Security Strategist Josh Bressers said the vulnerability is serious
but since it is not remotely exploitable, it’s less critical than
Heartbleed and other Internet wide bugs admins have dealt with in the
last two plus years.
“It’s
not on fire bad like some of the other bugs that have names,” Bressers
said. An attacker has to have broken in already and then exercise the
flaw to gain root. It’s serious, but much less serious because you
essentially need two exploits versus just one. Copy-on-write is a
feature used in programming across platforms that manages resources in
memory. Multiple processes may share that same page until a user needs
to write to it, which is known as marking the page dirty, Bressers
said.
The
problem comes down to the fact that there was a logic error in the
Linux kernel that said you could exercise a race condition so that
before the kernel separates pages that are marked dirty, it would let
you write to the original page - Bressers said. At the same time,
another part of the process is writing to it. It allows you to change a
file on the disk you shouldn’t be able to change. Bressers said that
attackers would also be limited in virtual machines and containers. For
example, they would not be able to escape a virtual machine and attack
the host server. Current exploits don’t work in containers given the way
they work - Bressers said. If it could be exploited in the container,
the containment technology will keep you in the container. You need
something else to get out. So it’s clear, newer technology is useful as a
mitigation in this case.
No comments:
Post a Comment