The security expert Phil Oester discovered in the Linux kernel a new flaw, dubbed ‘Dirty COW‘ that could be exploited by a local attacker to escalate privileges.
The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
According to the security advisory published by Red Had, the vulnerability, tracked as CVE-2016-5195, allows local attackers to modify existing setuid files.
“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.” states the Red Had security advisory.
“This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild.”
Red Hat also confirmed that attackers are using an exploit leveraging the Dirty COW in the wild.
The good news is that a solution to the issue is already available and Linux distributions have started releasing updates.
There is also a curious aspect of the Dirty COW, researchers that discovered it launched a sort of marketing operation around the issue, created a website, a logo and a Twitter account. They are also running a shop that sells “Dirty COW” mugs and t-shirts.
Let me close with one of the questions in the FAQ session of the website:
Can my antivirus detect or block this attack?
“Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed. Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary. This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.”
The researchers also published the exploit code on GitHub.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Linux, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Fortinet vulnerability to its Known Exploited Vulnerabilities…
Kosovar citizen extradited to the US for running the cybercrime marketplace BlackDB.cc appeared in federal…
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft Windows flaws to its Known Exploited…
Ivanti addressed two Endpoint Manager Mobile (EPMM) software vulnerabilities that have been exploited in limited…
Microsoft Patch Tuesday security updates for May 2025 addressed 75 security flaws across multiple products, including…
Fortinet fixed a critical remote code execution zero-day vulnerability actively exploited in attacks targeting FortiVoice…
This website uses cookies.