Photographee.eu - Fotolia
Researchers at the application security firm Bindecy discovered the patch for the Dirty COW vulnerability from 2016 didn't quite work. What are the issues with the Dirty COW patch, and what should users do?
Dirty COW is a vulnerability first reported in 2016, but which had been in the Linux kernel since 2007. The COW in Dirty COW stands for copy-on-write, and it is dirty because the Linux kernel's memory subsystem had a flaw that enabled a privilege escalation attack by abusing a race condition.
The recent patch for Dirty COW itself contains a flaw that enables an attacker to exploit a local race condition in transparent huge pages that are used to manage huge pages in memory. An attacker can bypass privileges to modify private read-only huge pages. The consequence is that even after the original patch is applied, read-only huge pages can be rewritten as objects instead as copies, ultimately enabling a denial-of-service attack.
The Dirty COW vulnerability is caused by the mapping of the zero page as a huge page that can be overwritten. Researchers at Bindecy ran the vulnerable code and observed that "after the first write page-fault to the zero page, it will be replaced with a new fresh (zeroed) transparent huge page." Initialization of a global variable is not possible.
Vulnerable packages with transparent huge page support include Red Hat Enterprise Linux for ARM with kernel-alt, Red Hat Enterprise Linux for Power LE with kernel-rt, Ubuntu 17.04 with kernel 4.10 and Fedora with kernel 4.14. Linux kernel packages without transparent huge page support are not affected. A complete list of affected kernels is provided on the SecurityFocus website.
Administrators are advised to:
- Disable the use of zero page to prevent it from being mapped as a huge page. Red Hat provides mitigation code examples.
- Disable huge pages on a system. If running without huge pages, some applications may not perform properly. Red Hat also provides instructions on disabling transparent huge pages on Red Hat Enterprise Linux 7.
A better option to deal with the Dirty COW vulnerability would be a kernel update from a vendor. If an application requires transparent huge pages, a vendor should be consulted on application replacement.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading