In October, the security expert Phil Oester discovered a flaw in the Linux kernel, dubbed ‘Dirty COW‘ that could be exploited by a local attacker to escalate privileges.
The name “Dirty COW” is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.
Now a security expert discovered a serious five-year-old privilege-escalation vulnerability, tracked as CVE-2016-8655, that affects every Linux distro, including Ubuntu, Red Hat, and Debian.
“A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer,” reads the security advisory issued Red Hat.
“A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.”
The flaw was disclosed today by the security researcher Philip Pettersson, it dates back to 2011.
The vulnerability could be exploited by an unprivileged local user to gain root privileges by exploiting a race condition in the af_packet implementation in the Linux kernel.
“This is an announcement about CVE-2016-8655 which is a race-condition I found in Linux (net/packet/af_packet.c). It can be exploited to gain kernel code execution from unprivileged processes.” wrote Pettersson. ” The bug was introduced on Aug 19, 2011: https://github.com/torvalds/linux/commit/f6fb8f100b807378fda19e83e5ac6828b638603a“
The security expert created an exploit to gain a root shell on an Ubuntu 16.04 LTS system (Linux Kernel 4.4) and also defeated SMEP/SMAP (Supervisor Mode Execution Prevention/Supervisor Mode Access Prevention) protection to gain kernel code execution abilities.
An attacker can use the Pettersson’s exploit to run arbitrary malicious code with administrative privileges on the targeted PC or cause a denial of service.
“A race condition issue leading to a use-after-free flaw was found in the way the raw packet sockets implementation in the Linux kernel networking subsystem handled synchronization while creating the TPACKET_V3 ring buffer,” Red Hat security advisory explains.
“A local user able to open a raw packet socket (requires the CAP_NET_RAW capability) could use this flaw to elevate their privileges on the system.”
“On Android, processes with gid=3004/AID_NET_RAW are able to create AF_PACKET sockets (mediaserver) and can trigger the bug,” added Pettersson.
Below the Timeline for the CVE-2016-8655 bug that was fixed in the mainline kernel last week
Don’t waste time, update your Linux distro as soon as possible.
[adrotate banner=”9″]
(Security Affairs – CVE-2016-8655, Linux)