Photographee.eu - Fotolia
Researchers at the application security firm Bindecy discovered the patch for the Dirty COW vulnerability from 2016 didn't quite work. What are the issues with the Dirty COW patch, and what should users do?
Dirty COW is a vulnerability first reported in 2016, but which had been in the Linux kernel since 2007. The COW in Dirty COW stands for copy-on-write, and it is dirty because the Linux kernel's memory subsystem had a flaw that enabled a privilege escalation attack by abusing a race condition.
The recent patch for Dirty COW itself contains a flaw that enables an attacker to exploit a local race condition in transparent huge pages that are used to manage huge pages in memory. An attacker can bypass privileges to modify private read-only huge pages. The consequence is that even after the original patch is applied, read-only huge pages can be rewritten as objects instead as copies, ultimately enabling a denial-of-service attack.
The Dirty COW vulnerability is caused by the mapping of the zero page as a huge page that can be overwritten. Researchers at Bindecy ran the vulnerable code and observed that "after the first write page-fault to the zero page, it will be replaced with a new fresh (zeroed) transparent huge page." Initialization of a global variable is not possible.
Vulnerable packages with transparent huge page support include Red Hat Enterprise Linux for ARM with kernel-alt, Red Hat Enterprise Linux for Power LE with kernel-rt, Ubuntu 17.04 with kernel 4.10 and Fedora with kernel 4.14. Linux kernel packages without transparent huge page support are not affected. A complete list of affected kernels is provided on the SecurityFocus website.
Administrators are advised to:
- Disable the use of zero page to prevent it from being mapped as a huge page. Red Hat provides mitigation code examples.
- Disable huge pages on a system. If running without huge pages, some applications may not perform properly. Red Hat also provides instructions on disabling transparent huge pages on Red Hat Enterprise Linux 7.
A better option to deal with the Dirty COW vulnerability would be a kernel update from a vendor. If an application requires transparent huge pages, a vendor should be consulted on application replacement.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Judith Myerson
GE reported an improper authentication flaw in its PulseNet network management software for critical infrastructures. Discover how this flaw works ... Continue Reading
Researchers claim to have found a new attack against VMs that affects SEV technology. Expert Judith Myerson explains what this attack is and how it ... Continue Reading
The Wi-Fi Alliance released the updated WPA3 protocol, adding security enhancements to the Wi-Fi access process. Learn why enterprises should update ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.