Researchers at the application security firm Bindecy discovered the patch for the Dirty COW vulnerability from...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
2016 didn't quite work. What are the issues with the Dirty COW patch, and what should users do?
Dirty COW is a vulnerability first reported in 2016, but which had been in the Linux kernel since 2007. The COW in Dirty COW stands for copy-on-write, and it is dirty because the Linux kernel's memory subsystem had a flaw that enabled a privilege escalation attack by abusing a race condition.
The recent patch for Dirty COW itself contains a flaw that enables an attacker to exploit a local race condition in transparent huge pages that are used to manage huge pages in memory. An attacker can bypass privileges to modify private read-only huge pages. The consequence is that even after the original patch is applied, read-only huge pages can be rewritten as objects instead as copies, ultimately enabling a denial-of-service attack.
The Dirty COW vulnerability is caused by the mapping of the zero page as a huge page that can be overwritten. Researchers at Bindecy ran the vulnerable code and observed that "after the first write page-fault to the zero page, it will be replaced with a new fresh (zeroed) transparent huge page." Initialization of a global variable is not possible.
Vulnerable packages with transparent huge page support include Red Hat Enterprise Linux for ARM with kernel-alt, Red Hat Enterprise Linux for Power LE with kernel-rt, Ubuntu 17.04 with kernel 4.10 and Fedora with kernel 4.14. Linux kernel packages without transparent huge page support are not affected. A complete list of affected kernels is provided on the SecurityFocus website.
Administrators are advised to:
- Disable the use of zero page to prevent it from being mapped as a huge page. Red Hat provides mitigation code examples.
- Disable huge pages on a system. If running without huge pages, some applications may not perform properly. Red Hat also provides instructions on disabling transparent huge pages on Red Hat Enterprise Linux 7.
A better option to deal with the Dirty COW vulnerability would be a kernel update from a vendor. If an application requires transparent huge pages, a vendor should be consulted on application replacement.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Judith Myerson
Getting firewall settings right is one of the most basic ways to protect enterprise data from accidental exposures. Expert Judith Myerson discusses ...continue reading
Expert Judith Myerson explains how IP theft can happen despite the cryptographic protections in IEEE standard P1735, as well as what can be done to ...continue reading
Enterprises can ensure a secure cloud migration by avoiding specific risks. Expert Judith Myerson outlines what to look for and what mistakes not to ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.