Sunday, 30 October 2016

WARNING: "The Dirty Cow" Linux bug

“Dirty COW” funny name for a serious Linux kernel vulnerability flaw found by Phil Oester



A bug is a coding error in a computer program.

A software bug is an error, flaw, failure or fault in a computer program that causes it to produce an incorrect or unexpected result, or to behave in unintended ways.

Hi there tech fans, today we talk about "The Dirty COW", this is a flaw much like the race condition, vulnerability found in the way Linux kernel's memory subsystem handled the copy-on-write/change-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system, in other words, you can be hacked. Lets know more about it and if you are affected or not, what to do - talk of Linux kernel packages and Android phones.
A kernel is the central part of an operating system. It manages the tasks of the computer and the hardware - most notably memory and CPU time. There are two types of kernels: A microkernel, which only contains basic functionality; A monolithic kernel, which contains many drivers. 

A race condition is an undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in the proper sequence to be done correctly.

This flaw that was recently discovered is said to have been lurking in the code for more than nine years. It is pretty much guaranteed that if you’re using any version of Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and MRG 2.x, Fedora or Android released in the past decade, you’re vulnerable.

What really is 'Dirty COW"

Just like other POSIX (Portable Operating System Interface) system, Linux implements "Discretionary Access Controls" (DAC), which relies on a framework of users and groups to grant or deny access to various parts of the OS. The grant permission can be read-only, or read-write. For example, as a non-privileged user you should be able to read "/bin/bash" in order to shell session when you log in, but not write to it. Only a privileged account (e.. "root") should be able to modify this file - otherwise any malicious user could replace the bash binary with a modified version that, for example, logs all passwords or starts up a backdoor. 

The race condition described above allows the attacker to bypass this permissions framework by tricking the COW mechanism to modify the original read-only objects instead of their copies. In other words, a carefully crafted attack can indeed replace "/bin/bash" with a malicious version by an unprivileged user. This vulnerability has been assigned two names: ("CVE-2016-5195") and "Dirty COW".

Can my antivirus detect or block this attack? 

Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed. Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary. This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether.
Possible fixes are being worked on in the upstream kernel, updates and updated versions are in progress and will be released as soon as possible. You should be closely monitoring your distribution's release alerts and apply any outstanding kernel errata as soon as it becomes available. The same applies to any Android devices you have.

Now to the biting question, we have heard that this race condition has been present for over 9 years, which is a very long time when it comes to computing. It is guaranteed that if you're using any version pf Linux or Android released in the past decade, you're vulnerable. Might there still be some flaws we do not know of yet?

Post your comments below and also share article on all your social media platforms forgetting to like, follow and subscribe.

No comments:

Post a Comment