Sergey Nivens - Fotolia
A dangerous Linux zero-day flaw has been found to be lurking in the Linux kernel for the past nine years, and experts said there is no way to detect when the vulnerability has been used in an attack.
The Linux vulnerability (CVE-2016-5195), dubbed Dirty COW, is an especially troubling escalation-of-privilege flaw, which can allow an attacker to gain root access. According to Phil Oester, the Linux security researcher who uncovered Dirty COW, an exploit is "trivial to execute," and according to a community-maintained project for the issue, "exploitation of this bug does not leave any trace of anything abnormal happening to the logs."
Jonathan Sander, vice president of product strategy at Lieberman Software Corp., based in Los Angeles, told SearchSecurity that as an escalation-of-privilege bug, "Dirty COW is a knife, not a grenade; you need to get in close for it to be effective. It's useless without first getting some sort of low-level access to the system."
Red Hat described the kernel vulnerability as a race condition "found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and, thus, increase their privileges on the system."
Linus Torvalds, creator and principal developer of the Linux kernel, said in his code commit patch that Dirty COW was an "ancient bug" that he had attempted to fix 11 years ago, but the issue resurfaced after a later commit.
The vulnerability has been present in all Linux kernels since version 2.6.22, released in 2007. It has been patched by Torvalds in the kernel, but various Linux distributions still need to push the fix to users.
Sander said even if the Linux vulnerability was difficult to exploit at first, the proofs of concept available have made it much easier.
"The difficulty of using Dirty COW would lie in getting the first step of access and having the know-how to do it," Sander said. "Unfortunately, there are now essentially free and easy ways on the web to copy and paste your way to both. So, anyone with a minimally viable set of scripting skills and bad intent may be able to start using this immediately."
Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, said it is unlikely a victim will know whether or not this vulnerability was used on its system.
"With an alleged five-seconds deployment and compromise window, it's safe to assume that under the right conditions, this attack could allow an attacker relatively instant access to a victim," Arsene told SearchSecurity. "Of course, that doesn't mean that the attack cannot leverage other vulnerabilities or misconfigurations to deliver the payload, but it would definitely take a lot more than five seconds to be achieved, at least in less-than-ideal conditions."
Sander agreed the sheer size of the Linux kernel could be an explanation for why the vulnerability went unfound for so long.
"Estimates for the size of the Linux kernel range from 12 [million] to 15 million lines of code and about 38,000 files, all depending on which parts your Linux provider included. That's a lot of places for bugs to hide out," Sander said. "No single human could possibly review it all, and even automated systems take a nice big pause when they have to comb through that much."
Learn more about how Android security was improved because of memory protection in the Linux kernel.
Find out if companies can benefit from providing root access.
Get info on why you need to be on the lookout for Linux vulnerabilities.