James Thew - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How did the Dirty COW exploit get shipped in software?

An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what this vulnerability can do.

Cisco revealed that it accidentally shipped exploit code for the Dirty COW vulnerability in its TelePresence Video Communication Server and Expressway Series software. What is the vulnerability, and how did the Dirty COW exploit code end up in the software release?

The Dirty COW vulnerability gets its name from the copy-on-write mechanism in the Linux kernel combined with the "dirty" way it exploits a flaw in the Linux kernel's memory subsystem leading to a race condition. This vulnerability enables a local attacker to gain write access privilege to read-only memory mappings in TelePresence Video Communication Server and Expressway Series software.

When exploited, the flaw causes the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping; the exploit code is the malicious software that attempts to exploit the flaw.

This exploit enables an unauthenticated attacker to modify system files, deploy key loggers and remotely read data that has been collected during telepresence sessions or video conferences. The attacker can also take control of the conferences during face-to-face collaboration across organizations with consumers, remote workers and mobile users. Furthermore, the conferences could be shut down without warning to the participants.

The Dirty COW exploit code was accidentally included in Cisco's software release and was discovered only after the final quality assurance (QA) validation step of the automated software build system failed. It was during this failure that a set of sample dormant exploit code used by Cisco for internal validation steps was accidentally included in the release. The exploit code was not fixed by Cisco before the QA validation steps started.

Dirty COW was first reported in 2016, but the vulnerability had been lying dormant in the Linux kernel since 2007 due to inadequate QA validation steps that were previously taken by Cisco. However, the new QA validation steps failed to prevent the dormant exploit code samples from getting into the software release.

Vulnerable Cisco Telepresence Video Communication Server versions X8.9 through X8.11.3 were affected. While there is no known workaround, users can download version X8.11.4 from Cisco.

This was last published in February 2019

Dig Deeper on Emerging cyberattacks and threats