As Ars Technica reports, Linux kernel bug CVE-2016-5195 finally received an official patch this week. When successfully exploited, the vulnerability allows a hacker to escalate their privileges on the system, giving them the power to run more dangerous commands. A person who ordinarily has very limited access to a computer could grant themselves administrative privileges.
The bug is so serious because it was found in a part of the kernel present in almost every distribution of Linux. That includes numerous desktop operating systems, cloud platforms, IoT hubs and smartphones. Attackers could feasibly target millions or even billions of devices. To add to the risk, it’s very easy to exploit.
The bug was found by Linux developer Phil Oester. According to an informational website about the discovery, he detected it using an HTTP packet capture. In an email to Ars Technica, Oester outlined how simple the vulnerability is to exploit. “Any user can become root in < 5 seconds in my testing, very reliably," he said. "Scary stuff."
On Linux systems, a "root" user has total access to the machine. Root users can interact with the computer and its filesystem with granular control. The attacker could install malware, hijack network connections or simply encrypt the user's hard drives.
The flaw has been dubbed "Dirty COW" by some members of the Linux community, an acronym derived from the "copy on write" duplication technique that the vulnerability is present in. Unprivileged users can abuse the copy on write functionality to gain write access to areas of memory that would usually be in read-only mode.
"it's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, said to Ars Technica. “The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time.”
A patch for Dirty COW is now publicly available. While it has been published to the official Linux kernel, it will still take time for it to reach all Linux devices. Distribution vendors are in the process of integrating it into their operating systems and releasing updates to customers. Not every affected system will get the update though. Some embedded Linux devices, such as IoT products, may not ever be updated.
The discovery follows a warning that Linux’s security needs to be upgraded to keep our future technology safe. Last month, researchers told the Linux Security Summit that the operating system’s protection mechanisms need a “total rethink” to address a series of design flaws. Dirty COW exemplifies the need for this work if Linux is to remain an industry-leading platform. Technology’s interconnected future necessitates strong security, something Linux no longer consistently provides.
