ADVISORY: Dirty COW Linux vulnerability, watch for patches and apply ASAP

Friday, October 21, 2016

This information was sent to several U-M IT staff groups on October 21, 2016. It is intended for U-M IT staff who are responsible for university machines running Linux.

Summary

There is a recently identified Linux vulnerability, Dirty COW, for which there are publicly available exploits. A race condition was found in the way the Linux kernel's memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system. Many vendors have patches available (see below). Some, including RedHat, are developing patches now. Watch for a patch from your Linux vendor for Dirty COW, and apply it as soon as possible after appropriate testing.

Problem

The Dirty COW vulnerability could be exploited by an attacker to modify existing setuid files to get root on vulnerable Linux systems. An attacker must already have a way to run executable code on the system to do this. A compromised account with shell access is a possible threat vector. Vulnerable web applications that allow upload and execution of code, or that contain SQL injection vulnerabilities that allow malicious code execution, are also possible attack vectors.

Threats

Active exploitation is reported to be occurring in the wild, and independent proof-of-concept exploit code has been published. An unprivileged local user could use the vulnerability to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

Affected Versions

All Linux systems running Linux Kernel 2.6.22 or newer may be affected. Check these vendor sites for information about the Dirty COW vulnerability and patch availability:

  • Red Hat (patch under development)
  • Debian (patch available now)
  • Ubuntu (patch available now)
  • SUSE (patch available now)
  • Generic (patch available now)

Detection

Exploitation of this bug may not leave any evidence in logs, so detection is difficult.

Action Items

  • Complete kernel patching after appropriate testing as soon as a patch is available. Reboot will be required following patching.

Information for Users

Linux systems managed by ITS will be patched as soon as possible. If you manage Linux devices for yourself or others, please patch as soon as possible. In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks.

Questions, Concerns, Reports

Please contact [email protected].