Dirty COW: Difference between revisions
mNo edit summary |
No edit summary |
||
(40 intermediate revisions by 29 users not shown) | |||
Line 1: | Line 1: | ||
{{short description|Computer security vulnerability}} |
|||
{{for|the television show|Dirty Cows}} |
{{for|the television show|Dirty Cows}} |
||
{{Infobox bug |
|||
[[Image:DirtyCow.svg|thumb|right|Logo for Dirty COW]] |
|||
| name = Dirty COW |
|||
| image = [[Image:DirtyCow.svg|180px]] |
|||
| caption = |
|||
| CVE = [https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-5195 CVE-2016-5195] |
|||
| discovered = |
|||
| patched = |
|||
| discoverer = Phil Oester |
|||
| affected software = [[Linux]] kernel (<4.8.3) |
|||
| website = |
|||
}} |
|||
'''Dirty COW''' (''Dirty copy-on-write'') is a [[computer security vulnerability]] |
'''Dirty COW''' (''Dirty copy-on-write'') is a [[computer security vulnerability]] of the [[Linux kernel]] that affected all Linux-based operating systems, including [[Android (operating system)|Android]] devices, that used older versions of the Linux kernel created before 2018. It is a local [[privilege escalation]] bug that exploits a [[race condition]] in the implementation of the [[copy-on-write]] mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable. |
||
The vulnerability was discovered by [[Phil Oester]].<ref name="ars">{{Cite news|url=https://arstechnica.com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit/|title="Most serious" Linux privilege-escalation bug ever is under active exploit (updated)|last=Goodin|first=Dan|date=2016-10-20|newspaper=Ars Technica|access-date=2016-10-21}}</ref><ref name=":0">{{Cite web|url=https://www.zdnet.com/article/the-dirty-cow-linux-security-bug-moos/|title=The Dirty Cow Linux bug: A silly name for a serious problem|last=Vaughan-Nichols|first=Steven J.|website=ZDNet|access-date=2016-10-21}}</ref> |
|||
Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local [[privilege escalation]], remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote [[root access]] on a computer.<ref name="ars"/> The attack itself does not leave traces in the system log.<ref name=":0"/> |
Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local [[privilege escalation]], remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote [[root access]] on a computer.<ref name="ars"/> The attack itself does not leave traces in the system log.<ref name=":0"/> |
||
The vulnerability has the [[Common Vulnerabilities and Exposures]] designation {{CVE|2016-5195}}.<ref>{{Cite web|url=https://access.redhat.com/security/vulnerabilities/2706661|title=Kernel Local Privilege Escalation - CVE-2016-5195 - Red Hat Customer Portal|website=access.redhat.com |
The vulnerability has the [[Common Vulnerabilities and Exposures]] designation {{CVE|2016-5195}}.<ref>{{Cite web|url=https://access.redhat.com/security/vulnerabilities/2706661|title=Kernel Local Privilege Escalation - CVE-2016-5195 - Red Hat Customer Portal|website=access.redhat.com|access-date=2016-10-21}}</ref> Dirty Cow was one of the first security issues transparently fixed in Ubuntu by the Canonical Live Patch service.<ref>{{cite web |title=LSN-0012-1 Linux kernel vulnerability |work=Ubuntu Security mailing list |date=October 20, 2016 |url=https://lists.ubuntu.com/archives/ubuntu-security-announce/2016-October/003602.html }}</ref> |
||
It has been demonstrated that the vulnerability can be utilized to [[Rooting (Android OS)|root]] any Android device |
It has been demonstrated that the vulnerability can be utilized to [[Rooting (Android OS)|root]] any Android device before [[Android version history|Android version 7]] (Nougat).<ref>{{cite news |title=Android phones rooted by "most serious" Linux escalation bug ever |work=Ars Technica |date=October 24, 2016 |url=https://arstechnica.com/security/2016/10/android-phones-rooted-by-most-serious-linux-escalation-bug-ever/ }}</ref> |
||
== History == |
== History == |
||
The vulnerability has existed in the Linux kernel since version 2.6.22 released in September 2007, and there is information about it being actively exploited at least since October 2016.<ref name=":0" /> The vulnerability has been patched in Linux kernel versions 4.8.3, 4.7.9, 4.4.26 and newer. |
The vulnerability has existed in the Linux kernel since version 2.6.22 released in September 2007, and there is information about it being actively exploited at least since October 2016.<ref name=":0" /> The vulnerability has been patched in Linux kernel versions 4.8.3, 4.7.9, 4.4.26 and newer. |
||
The patch produced in 2016 did not fully address the issue and a revised patch was released on November |
The patch produced in 2016 did not fully address the issue and a revised patch was released on November 27, 2017, before public dissemination of the vulnerability.<ref>{{cite news|url=https://www.theregister.co.uk/2017/12/04/dirty_cow_sequel_huge_dirty_cow_patched/|title=Dirty COW redux: Linux devs patch botched patch for 2016 mess|work=The Register|first=Richard|last=Chirgwin|date=December 4, 2017}}</ref> |
||
<ref>https://www.theregister.co.uk/2017/12/04/dirty_cow_sequel_huge_dirty_cow_patched/</ref> |
|||
== Applications == |
== Applications == |
||
The Dirty COW vulnerability has many perceived use cases including proven examples, such as obtaining root permissions in Android devices, as well as several speculated implementations. There are many binaries used in |
The Dirty COW vulnerability has many perceived use cases including proven examples, such as obtaining root permissions in Android devices, as well as several speculated implementations. There are many binaries used in Linux which are read-only, and can only be modified or written to by a user of higher permissions, such as the root. When privileges are escalated, whether by genuine or malicious means – such as by using the Dirty COW exploit – the user can modify usually unmodifiable binaries and files. If a malicious individual could use the Dirty COW vulnerability to escalate their permissions, they could change a file, such as <code>[[Bash (Unix shell)|/bin/bash]]</code>, so that it performs additional, unexpected functions, such as a keylogger. When a user starts a program which has been infected, they will inadvertently allow the malicious code to run. If the exploit targets a program which is run with root privileges, the exploit will have those same privileges. |
||
== Remedies and recourse == |
== Remedies and recourse == |
||
At the dawn of its discovery, anyone using a machine running Linux was susceptible to the exploit. The |
At the dawn of its discovery, anyone using a machine running Linux was susceptible to the exploit. The exploit has no preventative work around, the only cure is a patch or running a newer version which is not vulnerable anymore. [[Linus Torvalds]] committed a patch on October 18, 2016, acknowledging that it was an old vulnerability he had attempted to fix eleven years prior.<ref>{{cite web|url=https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619|title=mm: remove gup_flags FOLL_WRITE games from __get_user_pages()|work=Linux kernel source tree|date=October 18, 2016}}</ref> Some distributors provide patches, such as [[Canonical (company)|Canonical]], who provided a [[dynamic software updating|live patch]]. In the absence of a patch, there are a few mitigation technologies including [[SystemTap]], and very little security from [[SELinux]] or [[AppArmor]]. Antivirus software has the potential to detect elevated permissions attacks, but it cannot prevent the attack.<ref>{{cite web |title=How Bad is Dirty COW? |date=October 24, 2016 |url=https://www.linuxfoundation.org/blog/2016/10/how-bad-is-dirty-cow/|publisher=The Linux Foundation}}</ref> When given the opportunity, the safest route is to upgrade the Linux kernel to the following versions:<ref>{{cite web|url=https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-dirty-cow-linux-vulnerability|title=How To Protect Your Server Against the Dirty COW Linux Vulnerability|work=DigitalOcean|author=Hazel Virdó|date=October 31, 2016|access-date=December 29, 2016}}</ref><ref>{{Cite web|url=https://www.suse.com/support/kb/doc/?id=7018178|title=CVE-2016-5195: kernel: local privilege escalation using MAP_PRIVATE (Dirty COW). {{!}} Support {{!}} SUSE|website=www.suse.com|access-date=2020-01-22}}</ref> |
||
{| class="wikitable" |
{| class="wikitable" |
||
Line 26: | Line 38: | ||
! Earliest kernel version fixed !! Linux distribution that uses this |
! Earliest kernel version fixed !! Linux distribution that uses this |
||
|- |
|- |
||
| 3.2.0-113.155 || Ubuntu 12.04 LTS |
| 3.2.0-113.155 || [[Ubuntu]] 12.04 LTS |
||
|- |
|- |
||
| 3.13.0-100.147 || Ubuntu 14.04 LTS (Linux Mint 17.1) |
| 3.13.0-100.147 || Ubuntu 14.04 LTS (Linux Mint 17.1) |
||
|- |
|- |
||
| 3.16.36-1+deb8u2 || Debian 8 |
| 3.16.36-1+deb8u2 || [[Debian]] 8 |
||
|- |
|- |
||
| 4.4.0-45.66 || Ubuntu 16.04 LTS |
| 4.4.0-45.66 || Ubuntu 16.04 LTS |
||
⚫ | |||
| 4.7.8-1 || Debian unstable{{clarify|Which "unstable"?|date=July 2017}} |
|||
|- |
|- |
||
| 4.8.0-26.28 || Ubuntu 16.10 |
| 4.8.0-26.28 || Ubuntu 16.10 |
||
⚫ | |||
| 3.10.0-327.36.3 || [[RHEL]] 7, CentOS 7 |
|||
|- |
|||
| 2.6.32-642.6.2 || RHEL 6, CentOS 6 |
|||
|- |
|||
| 2.6.18-416 || RHEL 5, CentOS 5 |
|||
|- |
|||
|3.0.101-84.1 |
|||
|[[SUSE Linux Enterprise Server|SLES]] 11 SP4 |
|||
|- |
|||
|3.12.60-52.57.1 |
|||
|SLES 12 GA LTSS |
|||
|- |
|||
|3.12.62-60.64.8.2 |
|||
|SLES 12 SP1 |
|||
|} |
|} |
||
Line 43: | Line 68: | ||
== External links == |
== External links == |
||
* {{Official website|https://dirtycow.ninja/}} |
|||
* [https://access.redhat.com/security/cve/cve-2016-5195 CVE-2016-5195] at [[Red Hat]] |
* [https://access.redhat.com/security/cve/cve-2016-5195 CVE-2016-5195] at [[Red Hat]] |
||
* [https:// |
* [https://www.suse.com/support/kb/doc/?id=7018178 CVE-2016-5195] at [[SUSE S.A.|SUSE]] |
||
* [https://www.suse.com/support/kb/doc/?id=7018178 CVE-2016-5195] at [[SUSE]] |
|||
{{Hacking in the 2010s}} |
{{Hacking in the 2010s}} |
||
[[Category:2016 in |
[[Category:2016 in computing]] |
||
[[Category:Internet security]] |
[[Category:Internet security]] |
||
[[Category:Software bugs]] |
[[Category:Software bugs]] |
||
[[Category:Linux]] |
[[Category:Linux]] |
||
[[Category:Privilege escalation exploits]] |
[[Category:Privilege escalation exploits]] |
||
[[Category:Computer security exploits]] |
Latest revision as of 19:57, 18 October 2024
CVE identifier(s) | CVE-2016-5195 |
---|---|
Discoverer | Phil Oester |
Affected software | Linux kernel (<4.8.3) |
Dirty COW (Dirty copy-on-write) is a computer security vulnerability of the Linux kernel that affected all Linux-based operating systems, including Android devices, that used older versions of the Linux kernel created before 2018. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem. Computers and devices that still use the older kernels remain vulnerable.
The vulnerability was discovered by Phil Oester.[1][2] Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer.[1] The attack itself does not leave traces in the system log.[2]
The vulnerability has the Common Vulnerabilities and Exposures designation CVE-2016-5195.[3] Dirty Cow was one of the first security issues transparently fixed in Ubuntu by the Canonical Live Patch service.[4]
It has been demonstrated that the vulnerability can be utilized to root any Android device before Android version 7 (Nougat).[5]
History
[edit]The vulnerability has existed in the Linux kernel since version 2.6.22 released in September 2007, and there is information about it being actively exploited at least since October 2016.[2] The vulnerability has been patched in Linux kernel versions 4.8.3, 4.7.9, 4.4.26 and newer.
The patch produced in 2016 did not fully address the issue and a revised patch was released on November 27, 2017, before public dissemination of the vulnerability.[6]
Applications
[edit]The Dirty COW vulnerability has many perceived use cases including proven examples, such as obtaining root permissions in Android devices, as well as several speculated implementations. There are many binaries used in Linux which are read-only, and can only be modified or written to by a user of higher permissions, such as the root. When privileges are escalated, whether by genuine or malicious means – such as by using the Dirty COW exploit – the user can modify usually unmodifiable binaries and files. If a malicious individual could use the Dirty COW vulnerability to escalate their permissions, they could change a file, such as /bin/bash
, so that it performs additional, unexpected functions, such as a keylogger. When a user starts a program which has been infected, they will inadvertently allow the malicious code to run. If the exploit targets a program which is run with root privileges, the exploit will have those same privileges.
Remedies and recourse
[edit]At the dawn of its discovery, anyone using a machine running Linux was susceptible to the exploit. The exploit has no preventative work around, the only cure is a patch or running a newer version which is not vulnerable anymore. Linus Torvalds committed a patch on October 18, 2016, acknowledging that it was an old vulnerability he had attempted to fix eleven years prior.[7] Some distributors provide patches, such as Canonical, who provided a live patch. In the absence of a patch, there are a few mitigation technologies including SystemTap, and very little security from SELinux or AppArmor. Antivirus software has the potential to detect elevated permissions attacks, but it cannot prevent the attack.[8] When given the opportunity, the safest route is to upgrade the Linux kernel to the following versions:[9][10]
Earliest kernel version fixed | Linux distribution that uses this |
---|---|
3.2.0-113.155 | Ubuntu 12.04 LTS |
3.13.0-100.147 | Ubuntu 14.04 LTS (Linux Mint 17.1) |
3.16.36-1+deb8u2 | Debian 8 |
4.4.0-45.66 | Ubuntu 16.04 LTS |
4.8.0-26.28 | Ubuntu 16.10 |
3.10.0-327.36.3 | RHEL 7, CentOS 7 |
2.6.32-642.6.2 | RHEL 6, CentOS 6 |
2.6.18-416 | RHEL 5, CentOS 5 |
3.0.101-84.1 | SLES 11 SP4 |
3.12.60-52.57.1 | SLES 12 GA LTSS |
3.12.62-60.64.8.2 | SLES 12 SP1 |
References
[edit]- ^ a b Goodin, Dan (2016-10-20). ""Most serious" Linux privilege-escalation bug ever is under active exploit (updated)". Ars Technica. Retrieved 2016-10-21.
- ^ a b c Vaughan-Nichols, Steven J. "The Dirty Cow Linux bug: A silly name for a serious problem". ZDNet. Retrieved 2016-10-21.
- ^ "Kernel Local Privilege Escalation - CVE-2016-5195 - Red Hat Customer Portal". access.redhat.com. Retrieved 2016-10-21.
- ^ "LSN-0012-1 Linux kernel vulnerability". Ubuntu Security mailing list. October 20, 2016.
- ^ "Android phones rooted by "most serious" Linux escalation bug ever". Ars Technica. October 24, 2016.
- ^ Chirgwin, Richard (December 4, 2017). "Dirty COW redux: Linux devs patch botched patch for 2016 mess". The Register.
- ^ "mm: remove gup_flags FOLL_WRITE games from __get_user_pages()". Linux kernel source tree. October 18, 2016.
- ^ "How Bad is Dirty COW?". The Linux Foundation. October 24, 2016.
- ^ Hazel Virdó (October 31, 2016). "How To Protect Your Server Against the Dirty COW Linux Vulnerability". DigitalOcean. Retrieved December 29, 2016.
- ^ "CVE-2016-5195: kernel: local privilege escalation using MAP_PRIVATE (Dirty COW). | Support | SUSE". www.suse.com. Retrieved 2020-01-22.