Red Hat Discovers Dirty COW Archaic Linux Kernel Flaw Exploited In The Wild

A near decade old security flaw in the Linux kernel in now being exploited by hackers in the real world, Red Hat has discovered

Dubbed Dirty COW, a name derived from how the flaw exploits the way the Linux kernel’s memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings, the exploit exists in nearly all versions of the Linux operating system, and researchers are advising Linux users to patch the hole as soon as possible.

“An unprivileged local user could use this flaw to gain write access to otherwise read only memory mappings and thus increase their privileges on the system,” Red Hat’s security advisory explained.

Dirty COW

On its surface Dirty COW simply gives people using the exploit greater access and control over a targeted computer rather than exist as a flaw which allows for code-execution.

However, there are two aspects that make it dangerous. The first, being that with elevated privileges a hacker can use Dirty COW with other malware and do it more effectively as they could execute malicious code as a root user with more access to a computer’s systems rather than an untrusted user.

Such exploits can be used to attack companies providing web hosting with Linux shell access and form there attack other customers of the web hosting firm as well as its administrators.

The second aspect is the vulnerability affects most versions of Linux, which given the spread of the open source operating system, means a potentially huge number of systems are exposed to the exploit, and researchers are already seeing Dirty COW being used out in the wild.

Another problem is that attacks using Dirty COW can happen in different layers of Linux making it difficult to defend against it using security software.

“Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary,” Red Hat’s advisory explained.

“This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.”

A Red Hat engineer Petr Matousek posted mitigation measures against the flaw in the advisory, but noted that it can affect how other programs run and that he is not convinced it will wholly mitigate the exploit.

With bugs like Dirty COW cropping up in widely used open source systems, it is no wonder that the Linux Foundation sees cyber security as a threat to the ‘golden age’ of open source.