Serious Dirty COW bug leaves millions of Linux users vulnerable to attack

A vulnerability discovered in the Linux kernel has been present for nine years, and users are being advised to seek out and install a patch as soon as they possibly can. Dubbed Dirty COW, the bug is a privilege escalation vulnerability which can be found in just about every Linux distro out there.

Discovered by security expert Phil Oester, Dirty COW is described as one of the most serious bugs of its type ever found in Linux. Assigned the code CVE-2016-5195, there is evidence that the vulnerability has been exploited and a website set up to alert people to the problem advises that the "security community should deploy honeypots that entrap attackers and to alert about exploitation attempts".

While the bug has now been patched, it's important that Linux users check that they have the patch installed. With Linux used to power so many web servers around the world, the potential impact of a successful exploit is huge. What’s particularly concerning about the exploit is that it is all but impossible for antivirus and security software to detect, and once exploited, there is no evidence of what has happened.

The description of Dirty COW on the Red Hat site explains:

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

The Dirty COW advisory site was set up to help spread word of the problem. There is a stark warning that attacks could be very difficult to detect:

Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed. Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary. This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.

In an email to Ars Technica, Oester explains how he discovered the vulnerability:

Any user can become root in < 5 seconds in my testing, very reliably. Scary stuff.

The vulnerability is easiest exploited with local access to a system such as shell accounts. Less trivially, any web server/application vulnerability which allows the attacker to upload a file to the impacted system and execute it also works.

The particular exploit which was uploaded to my system was compiled with GCC 4.8.5 released 20150623, though this should not imply that the vulnerability was not available earlier than that date given its longevity. As to who is being targeted, anyone running Linux on a web facing server is vulnerable.

For the past few years, I have been capturing all inbound traffic to my webservers for forensic analysis. This practice has proved invaluable on numerous occasions, and I would recommend it to all admins. In this case, I was able to extract the uploaded binary from those captures to analyze its behavior, and escalate to the appropriate Linux kernel maintainers.