How bad is the Dirty Cow Linux kernel vulnerability?

Also in today’s open source roundup: Android phones rooted by Dirty Cow, and the Build The Wall game is now available for Android

cow female black white
Credit: USDA

How bad is the Dirty Cow vulnerability?

The Dirty Cow Linux kernel vulnerability is getting lots of coverage in the media. But how bad is it really? A writer at Linux.com has a helpful overview of Dirty Cow.

Konstantin Ryabitsev reports for Linux.com:

…in order to exploit the “Dirty Cow” bug, the attacker must first be able to execute arbitrary code on the system. This, in itself, is bad enough – even if an attacker is not able to gain immediate root-level privilege, being able to execute arbitrary code gives them a massive foothold on your infrastructure and allows them a pivot point to reach your internal networks.

In fact, you should always assume that there are bad bugs lurking in the kernel that we do not yet know about (but the attackers do). Kees Cook in his blog about security bug lifetimes points out that vulnerabilities are usually fixed long after they are first introduced – many of them lurking in the code for years. Really bad bugs the caliber of the “Dirty Cow” are worth hundreds of thousands of dollars on the black market, and you should always assume that an attacker who is able to execute arbitrary code on your systems will eventually be able to escalate their privileges and gain root access. Efforts like the “Kernel Self Protection Project” can help reduce the impact of some of these lurking bugs, but not all of them – for example, race conditions are particularly tricky to guard against and can be devastating in their scope of impact.

Therefore, any mitigation for the “Dirty Cow” and other privilege escalation bugs should really be considered a part of a comprehensive defense-in-depth strategy that would work to keep attackers as far away as possible from being able to execute arbitrary code on your systems. Before they even get close to the kernel stack, the attackers should have to first defeat your network firewalls, your intrusion prevention systems, your web filters, and the RBAC protections around your daemons.

Taken altogether, these technologies will provide your systems with a great deal of herd immunity to ensure that no single exploit like the “Dirty Cow” can bring your whole infrastructure to its tipping point.

More at Linux.com

Linux redditors shared their thoughts in a recent thread about Dirty Cow:

Aussie_bob: “The Linux kernel has been patched, and major vendors such as RedHat, Ubuntu and Debian have already rolled out fixes for their respective Linux distributions.”

Archpuddington: “Dirty Cow is a local privileged escalation exploit, and hundreds of these have been found over the years. A Remote code execution in a major browser, would be a bigger problem for the every-day user.”

Mango_feldman: “If I understand correctly it basically means that any native (ie. machine code) executable can gain root.

That sounds a bit scary, until you realize that hostile code running as the user is almost as bad in itself[1]. It can access the network, log keys, access your webcamera, files, etc.

Which sounds even scarier - better isolation is really needed.

Lesson being that atm. you need to have high trust in all code you introduce into the system.

[1] for a regular desktop end-user. And detecting/removing code running as root is probably harder”

Oomk: “Yes, yes, blah, blah, if your users have shell access on servers with NFS mount points, they can kill the full shared filesystem. It can be easily used by crypto-ransomware-like scripts… Do you need other reasons or excuses ?

Systems, networks and data can be completely pwned by exploiting a chain of several security flaws… “Dirty Cow” is just yet another missing link… The other missing links will be the other things you have decided not patched in the previous months…”

More at Reddit

Android phones rooted by Dirty Cow

Since Android is based on Linux, it too has been affected by the Dirty Cow vulnerability. In the case of Android, Dirty Cow provides a new rooting technique.

Dan Goodin reports for Ars Technica:

Both of the exploits allow end users to root Android phones so they have capabilities such as tethering that are often restricted by individual manufacturers or carriers. By gaining access to the core parts of the Android OS, owners can bypass such limitations and vastly expand the things their devices can do. The darker side of rooting is that it’s sometimes done surreptitiously so that malicious apps can spy on users by circumventing application sandboxing and other security measures built into Android.

Just as Dirty Cow has allowed untrusted users or attackers with only limited access to a Linux server to dramatically elevate their control, the flaw can allow shady app developers to evade Android defenses that cordon off apps from other apps and from core OS functions. The reliability of Dirty Cow exploits and the ubiquity of the underlying flaw makes it an ideal malicious root trigger, especially against newer devices running the most recent versions of Android.

Dirty Cow came to light a few days before the release of a separate rooting method for Android devices. “Drammer,” as the latter exploit has been dubbed, is significant because it targets the “Rowhammer” bitflipping hardware bug, which allows attackers to modify data stored in device memory. Google plans to release a patch in November that makes Rowhammer much harder to exploit.

Now that the Dirty Cow hole has been patched in the Linux kernel, it’s only a matter of time until the fix makes its way into Android, too. But the soonest it will be available is with the release of next month’s Android patch batch. Of course, that’s not available for a large number of devices, mostly because of limitations set by manufacturers and carriers.

More at Ars Technica

Build The Wall game now available for Android

Apple’s app submission process for the iOS App Store has sometimes resulted in controversy as the company has banned apps for what seem to be arbitrary reasons. One such app that was recently blocked from being published is Build The Wall, a game that has players building a wall to keep illegal aliens out of the United States. While Apple has refused to publish the free game, Google has released it in the Google Play store.

Charlie Nash reports on the Build The Wall controversy for Breitbart:

Build the Wall: The Game, an iPhone game created by pro-Trump internet personality Baked Alaska, has been rejected from the Apple App Store for including a cameo by Pepe the Frog.

“I had a free game coming out on iOS today for y’all, but Apple has banned it’s release due to a cartoon picture of Pepe The Frog #FreePepe,” announced Alaska (real name Timothy Treadstone) on Twitter along with a screenshot of the game and Apple’s response on Wednesday.

“Your app includes content that many users would find objectionable and offensive,” claimed Apple in their rejection letter of the game, which is currently available for free on the Google Play store. “Specifically, your app includes Pepe the Frog character.”

“The hypocrisy of it is there’s dozens of Pepe the Frog apps already out on the App Store, and these are Pepe the Frog-based apps where Pepe is the icon. We merely had a cameo of Pepe,” Treadstone continued. “We get banned because it’s a pro-Trump app, but you can have an app only about Pepe and that’s not offensive.”

More at Breitbart

Did you miss a roundup? Check the Eye On Open home page to get caught up with the latest news about open source and Linux.

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.
From CIO: 8 Free Online Courses to Grow Your Tech Skills
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.