Photographee.eu - Fotolia
Researchers at the application security firm Bindecy discovered the patch for the Dirty COW vulnerability from 2016 didn't quite work. What are the issues with the Dirty COW patch, and what should users do?
Dirty COW is a vulnerability first reported in 2016, but which had been in the Linux kernel since 2007. The COW in Dirty COW stands for copy-on-write, and it is dirty because the Linux kernel's memory subsystem had a flaw that enabled a privilege escalation attack by abusing a race condition.
The recent patch for Dirty COW itself contains a flaw that enables an attacker to exploit a local race condition in transparent huge pages that are used to manage huge pages in memory. An attacker can bypass privileges to modify private read-only huge pages. The consequence is that even after the original patch is applied, read-only huge pages can be rewritten as objects instead as copies, ultimately enabling a denial-of-service attack.
The Dirty COW vulnerability is caused by the mapping of the zero page as a huge page that can be overwritten. Researchers at Bindecy ran the vulnerable code and observed that "after the first write page-fault to the zero page, it will be replaced with a new fresh (zeroed) transparent huge page." Initialization of a global variable is not possible.
Vulnerable packages with transparent huge page support include Red Hat Enterprise Linux for ARM with kernel-alt, Red Hat Enterprise Linux for Power LE with kernel-rt, Ubuntu 17.04 with kernel 4.10 and Fedora with kernel 4.14. Linux kernel packages without transparent huge page support are not affected. A complete list of affected kernels is provided on the SecurityFocus website.
Administrators are advised to:
- Disable the use of zero page to prevent it from being mapped as a huge page. Red Hat provides mitigation code examples.
- Disable huge pages on a system. If running without huge pages, some applications may not perform properly. Red Hat also provides instructions on disabling transparent huge pages on Red Hat Enterprise Linux 7.
A better option to deal with the Dirty COW vulnerability would be a kernel update from a vendor. If an application requires transparent huge pages, a vendor should be consulted on application replacement.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Mobile security threats and prevention
Related Q&A from Judith Myerson
The use of BGPsec protocols was found after looking into threat actors in China that controlled U.S. internet traffic. Discover how this technique ... Continue Reading
A vulnerability was found in Western Digital's My Cloud NAS device that can be easily exploited by hackers. Discover what this vulnerability is and ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.