Dirty COW – Slaying Linux privilege escalation bug

Linux kernel critical vulnerability identified

Linux kernel critical vulnerability identified

Recently a very serious vulnerability in the Linux kernel, the so-called Dirty COW, was reported. A nine-year-old critical vulnerability which has been discovered in virtually all versions of the Linux operating system is actively being exploited in the wild.

Dubbed “Dirty COW,” the Linux kernel security flaw (CVE-2016-5195) is a mere privilege-escalation vulnerability, but researchers are taking it extremely seriously due to many reasons.

First, it’s very easy to develop exploits that work reliably. Secondly, the Dirty COW flaw exists in a section of the Linux kernel, which is a part of virtually every distro of the open-source operating system, including RedHat, Debian, and Ubuntu, released for almost a decade.

And most importantly, the researchers have discovered attack code that indicates the Dirty COW vulnerability is being actively exploited in the wild.

The Dirty COW vulnerability allows attackers to gain root access to servers and take control over the whole system. The security hole was detected by researcher Phil Oester, who found out a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakages of private read-only memory mappings.

Attackers can use this to gain write access to otherwise read-only mappings and this way take control over whole systems. For more technical information you may check the official vulnerability page and this site which is dedicated to the vulnerability. Dirty COW potentially allows any installed malicious app to gain administrative (root-level) access to a device and completely hijack it within just 5 seconds.

Earlier this week, Linus Torvalds admitted that 11 years ago he first spotted this issue and also tried to fix it, but then he left it unpatched because at the time it was hard to trigger.

Why is the Flaw called Dirty COW?

The bug, marked as “High” priority, gets its name from the copy-on-write (COW) mechanism in the Linux kernel, which is so broken that any application or malicious program can tamper with read-only root-owned executable files and set up id executables.

“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings,” reads the website dedicated to Dirty COW.

“An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”

The Dirty COW vulnerability has been present in the Linux kernel since version 2.6.22 in 2007 and is also believed to be present in Android, which is powered by the Linux kernel.

The issue most probably affects hundreds of thousands, if not millions, of Linux based machines. If you are not running the latest version of the Linux kernel you should be worried. In fact, even if you are running the latest kernel you should still be worried, as currently, not all vendors have patched their respective kernels as with other vulnerabilities widely exposed. If you want to try and hack your own system you can visit

If you want to try and hack your own system you can visit this Github page and use the PoCs provided on it. According to the reports, the following Linux distro versions are vulnerable (please note that this is not a complete list but rather a list of the most popular Linux distros):

  • Red Hat Enterprise Linux 7.x
  • Red Hat Enterprise Linux 6.x
  • Red Hat Enterprise Linux 5.x
  • CentOS Linux 7.x
  • CentOS Linux 6.x
  • CentOS Linux 5.x
  • Debian Linux wheezy
  • Debian Linux jessie
  • Debian Linux stretch
  • Debian Linux sid
  • Ubuntu Linux precise (LTS 12.04)
  • Ubuntu Linux trusty
  • Ubuntu Linux xenial (LTS 16.04)
  • Ubuntu Linux yakkety
  • Ubuntu Linux vivid/ubuntu-core
  • SUSE Linux Enterprise 11 and 12.
  • Openwrt

Patch management is crucial at this point in time

Patch Management is crucial for organizations of all sizes

Patch Management is crucial for organizations of all sizes

The Linux kernel has been patched, and major vendors such as RedHatUbuntu and Debian have already rolled out fixes for their respective Linux distributions.

Organizations and individuals have been urged to install a patch for their Linux-powered systems, phones and gadgets as soon as possible and risk falling victim in order to kill off the Linux kernel-level security flaw affecting nearly every distro of the open-source OS.

The easiest way to protect your computers running Linux is to update your Linux distro to the latest version. Keep in mind that this action, however, requires a reboot. You can use the following commands to update your Debian/Ubuntu and RHEL systems:

Debian/Ubuntu:
$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

RHEL:
$ sudo yum update
$ sudo reboot

CentOS:
There is still no official update of the CentOS kernel. At this time the only way to patch your CentOS servers is to follow the instructions from this link.

Once you reboot your Linux computers, ensure that they are running the new kernel by executing the following commands:

$ uname -a
$ uname -r
$ uname -mrs
The vulnerability was discovered by security researcher Phil Oester, who fund at least one in-the-wild attack exploiting this particular vulnerability. He found the exploit using an HTTP packet capture.

The vulnerability disclosure followed the tradition of branding high-profile security vulnerabilities like HeartbleedPoodleFREAK, and GHOST.

You can find more technical details about the Dirty COW vulnerability and exploit on the bug’s official websiteRedHat site, and GitHub page.

Leave a Reply