'Most Serious' Linux Privilege-Escalation Bug Ever Is Under Active Exploit

Reader operator_error shares an ArsTechnica report: A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers are taking it extremely seriously. For one thing, it's not hard to develop exploits that work reliably. For another, the flaw is located in a section of the Linux kernel that's a part of virtually every distribution of the open-source OS released for almost a decade. What's more, researchers have discovered attack code that indicates the vulnerability is being actively and maliciously exploited in the wild.

"It's probably the most serious Linux local privilege escalation ever," Dan Rosenberg, a senior researcher at Azimuth Security, told Ars. "The nature of the vulnerability lends itself to extremely reliable exploitation. This vulnerability has been present for nine years, which is an extremely long period of time." The underlying bug was patched this week by the maintainers of the official Linux kernel. Downstream distributors are in the process of releasing updates that incorporate the fix. Red Hat has classified the vulnerability as "important."

Why Use Linux?

[OzPeter]

OMGUbuntu why use linux answered in 3 short words [slashdot.org]

Why use Linux? Because of security!

Hmm .. something just doesn't sound right here.

Re:

[Anonymous Coward]

If you install BSD on some random desktop and get VESA only graphics or CLI only and the network card or wifi doesn't work, that's pretty secure.

Re:

[eneville]

They're for different purposes. OpenBSD for example has a very advanced firewall, just not as advanced as Linux in other areas, such as desktop.

Re:

[Anonymous Coward]

Go on, then. Differ already.

Re:Why Use Linux?

[Anonymous Coward]

Why use Linux? Because of security!

Hmm .. something just doesn't sound right here.
True. The thing that doesn't sound right is the belief that security is binary. Security is a continuum and sometimes a series of tradeoffs. It's not, never has been, and never will be 100%.

So no, finding a security bug in the linux kernel doesn't mean that linux is any less secure. We know these things happen. The idea is that it happens LESS often, and with less severity, and with fewer downsides than with Windows.

Re:Why Use Linux?

[Anonymous Coward]

For Linux, it's the most serious local privilege escalation ever.

For Windows, it's Friday.

Re:

[eneville]

The whole point is that someone noticed the exploit in the wild.

Re:

[TangoMargarine]

And whenever an article like this comes out, it's almost always already patched on Linux. How often is that the case with the proprietary sphere?

Nine year old bug? What about "a million eyes"?

[Anonymous Coward]

"A million eyes makes all bugs shallow."
Yet again, we see that is total BS. THis exploit has been there for at least nine years, and we see the apologists saying, "When an article like this comes out, it's already patched!!" What about those that have been screwed over by this design flaw for nine years?

Re:

[TangoMargarine]

And I'm saying, what about when a bug shows up on Oracle's or Microsoft's systems, that has been there for 9 years, and they still take a couple months to fix it after it becomes public knowledge?

Your move, Sparky.

Re:

[sexconker]

Security is binary.
You're either secure or you're not.
There's no "less secure" or "more secure".

The scope/impact of specific vulnerabilities may differ, but the fact that you have vulnerabilities means you're not secure.

So no, finding a security bug in the linux kernel doesn't mean that linux is any less secure.

Even if you believe security is a spectrum, you're wrong here. Discovering a previously unknown vulnerability means you know the system to be less secure than you thought it to be.

Re:

[sjames]

By your reasoning, security is a fixed steady state of false. Is that safe secure? No, given only 6 months and a modest $100 million investment, it can be drilled through.

Re:

[Type44Q]

Another retarded post farted-out without a moment's thought: you're nothing if not consistent. ;)

Re:

[Blaskowicz]

One of the old Roman authors wrote that at any one time, e.g. your slave might slit your throat while in the middle of shaving you.
I think the message was something like "Deal with it" (in the internet memes sense)

Re:

[Jason Levine]

And often it depends on the person behind the keyboard. If you have two computers with the same level of security, the computer with the insecure user will get hacked before (and more frequently than) the computer with the more secure user. Unfortunately, user education can only take you so far.

Re:Why Use Linux?

[wjcofkc]

Why use Linux? Because as much as I love FreeBSD as a hardware barebones headless server for this and that, dealing with hardware driver issues for a fully featured desktop ranges between a pain in the ass and impossible. Otherwise I would be using the PC-BSD variant as a desktop productivity OS over Linux.

Re:

[dargaud]

Why ? I mean, as a 99% Linux user for the past 16 years, I've never tried any BSD. I'm not religious about it, I just don't know what would be better on it.

Re:

[wjcofkc]

The ports tree is miraculous. It eliminates a lot of admin work you have to deal with in Linux land. It also has a very solid implementation of ZFS, which can be life saving. Also, the layout of the file system is both sane and statically consistent over time. I could carry on for awhile about why I feel it is a superior server OS. Honestly if you don't get it then do your own research on it, contemplate you favorite services and give it a whirl. You will be doing yourself a favor. I assure it is not a reli

Re:

[dargaud]

What's wrong with GNU Coreutils and glibc ?!? I use those hundreds of times a day and never knew there was something wrong with them...

Re:

[Anonymous Coward]

So, how many security holes just as bad as this one has been silently plugged in Windows the last 15 years? How many equally serious security holes are being exploited in Windows right now? How many worse security holes are being exploited, or waiting to be found in Windows, right now?

I don't now. But I'm willing to guess the answer isn't "zero" to any of those questions. Nobody ever claimed Linux was bulletproof, the point is that it's better than the alternative.

Linux is less complex than Windows, bugs te

Re:

[eneville]

... and reinvents tried and tested code, thus bringing more exploits to the party.

Re:

[OzPeter]

OMGUbuntu why use linux answered in 3 short words [slashdot.org]

Why use Linux? Because of security!

Hmm .. something just doesn't sound right here.

Replying to my own post because I'm defeated by all that whooshing noise from all those other replies.

Some people just can't take a joke.

Re:

[chipschap]

It does happen with open source software, as with any software, and open source advocates don't need to apologize for it. What they need to do is fix it when it's brought to their attention --- oh, wait, they already did that.

Re:

[Anonymous Coward]

... 9 years after the fact.

Actually the bug was fixed 11 years ago, but was regressed in a later patch that fixed a different issue for one architecture linux supports.

Re:

[chipschap]

... 9 years after the fact.

Yes, but that misses the point. It was fixed as soon as it was pointed out. No denial, no delay, just fixed. And, at least it was found and reported, even if it did take a very long time.

Of course, with closed source we'll never know what's been lurking for many years, but I suspect there will be things there too, as there are in all complex systems.

Read the rest of the sentence. It's about the fix

[raymorris]

The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".

Would he include all of that discussion of how bugs are fixed if he even believed there were no bugs? Of course not. The claim is that no one person has to spe

Mitigations

[Anonymous Coward]

The existing known exploit does not work on stock RHEL5/6 systems because /proc/self/mem is read-only by default. But, there may be other exploit vectors.

Re:

[Anonymous Coward]

Not sure what rhel5/6 systems you are looking at. All of the ones I checked have it rw.

Re:

[Anonymous Coward]

"The in the wild exploit we are aware of doesn't work on Red Hat Enterprise Linux 5 and 6 out of the box because on one side of the race it writes to /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise Linux 5 and 6."
-- https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

Re:

[bluefoxlucid]

The simple mitigation is to not have local users who will hack your machine.

If you run a server, an exploit of the server software (nginx, PHP scripts, Ruby on Rails, etc.) will provide local non-root access, which you can then root.

If you run your server software in Docker, then the host system's binaries aren't exposed. That means an attacker can't modify the disk cache for /bin/su and then su to root; he can only modify the disk cache for /bin/su or glibc from e.g. the debian:jessie image that the D

Root my Android phone?

[crow]

Can I use this to root my Android phone? I just want to install an ad-blocking /etc/hosts file, so I don't need a permanent root. This sounds like just the sort of exploit to do the trick, but I haven't looked at the technical details. I just want to do this before the next security update patches it.

Re:

[Anonymous Coward]

Fuck, you did it. Now APK is going to show up.

Re:

[Anonymous Coward]

Why don't you use a VPN and do the fingering on the remote end of the VPN, you can even compress the stuff so it loads faster on your end

Re:

[sirber]

VPN on android with the compression and encryption is a cpu and battery drain. The best way to block most ads is via /etc/hosts. You still get unity video ads though... then you use lucky patcher :)

Re:Root my Android phone?

[Anonymous Coward]

> just want to do this before the next security update patches it

On your *Android phone*? I don't think you have to worry about that.

Re:

[ArchieBunker]

You could always install the AdblockPlus Browser.

Firefox has uBlock Origin

[emil]

If you just want to block ads to your browser, then Firefox has the best tool. uBlock Origin can be configured for adblock, malware, and many sundry lists. Opera also advertises adblock as well as VPN, but Opera is now Chinese-owned and will be able to keybridge you, so caveat emptor.

You only need to touch /etc/hosts if you want to adblock Chrome and/or something OTHER than a browser. In that case, I am using AdAway from F-Droid, and that needs root every time it applies updates to /etc/hosts, so you will l

Don't forget the stupid name!

[Anonymous Coward]

Dirty Cows are for cows mooooooooooooooooooooo [dirtycow.ninja]

Re: How does it work?

[Anonymous Coward]

Spam the mm from 2 threads. Wait for a read only page to be writeable before cow occurs.

Re:

[Dadoo]

I'm not 100% sure, either, but based on what I'm reading, this exploit requires some type of local access to use directly. While it's not as bad as all the hype, it's still not great, and can still be exploited remotely; it just takes an extra step.

Say you're running a web server, and Apache has a buffer overflow vulnerability. A hacker can break in and, normally, only has access to whatever the "apache" user has access to. If the hacker knows about dirty cow, he can now give himself root access.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Linux "operating system"?

[l2718]

This is a bug in the Linux kernel, affecting most operating systems that use this kernel.

Re:

[ender8282]

This is a bug in the Linux kernel, affecting most operating systems that use this kernel.

Sorry Richard...

Truly easy to exploit

[Zo0ok]

I found one of these "exploits in the wild":
https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c

It works on the three Linux machines I first tested it on.
$ dirtyc0w /etc/secretfile.txt abcde
simply (over)writes abcde to the beginning of the file.

Fix seems to be available for none of the systems right now.

At least it requires a local account.... I mean, after all, it must be considered a security problem to allow web users to upload binaries or run arbitrary commands via a web server anyway. But if I was responsible for a students lab with hundreds of Linux computers I would be a little nervous.

Re:

[Zo0ok]

On Ubuntu, 4.4.0-43-generic was clearly vulnerable.
I now have 4.4.0-45-generic which seems to safe.

Re: Truly easy to exploit

[BlackLotus89]

> Fix seems to be available for none of the systems right now Yeah sure except for ArchLinux, Gentoo and all if I can trust the "News":"Most major Linux distros" And I don't know why nobody mentioned that people running grsec were secure all along, because damn this is the nth major Kernel Exploit that didn't affect them.

Re:

[Zo0ok]

For some reason ubuntu installed 4.4.0-45 but insisted on still booting 4.4.0.43. So after a full upgrade and a reboot it was still vulnerable. After I I discovered the problem and booted 4.4.0-45 I confirmed that fixed the problem.

Raspbian seems not to be fixed (please correct me if I am wrong).

Re:

[anarcobra]

Why isn't grsecurity part of the mainline?

Most Popular Comment @ Ars

[CrashNBrn]

S2pidiT Ars Centurion [arstechnica.com] said:

Linus explained on the GitHub link:

This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better). The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement software dirty bits") which made it into v3.9. Earlier kernels will have to look at the page state itself.

Also, the VM has become more scalable, and what used a purely theoretical race back then has become easier to trigger.

To fix it, we introduce a new internal FOLL_COW flag to mark the "yes, we already did a COW" rather than play racy games with FOLL_WRITE that is very fundamental, and then use the pte dirty flag to validate that the FOLL_COW flag is still valid.

So there was an attempt to fix the race condition over a decade ago, but it got undone.

there is an *Evil* Torvaldis!

[Provocateur]

It's probably the most serious Linux local privilege escalation ever

The evil twin of Mr. Torvalds has been known to use Please and Thank you, and actively, as well, to wit:

"Now please, pretty please, with cherry on top, will you take your patch and take it out of my m*****ing kernel??"

He is working on the anti-kernel, as well, but that has been kept under wraps, until a proper EULA has been prepared.

In a nutshell

[Demonoid-Penguin]

This is an ancient bug [kernel.org] that was actually attempted to be fixed once (badly) by me [Phil "not Paul" Oester] eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
In the meantime, the s390 situation has long been fixed, and we can now fix it by checking the pte_dirty() bit properly (and do it better).
The s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement soft

Re:

[hankwang]

Where did you get "It only became a serious flaw recently"? It happened somewhere between 11 years ago and present, but no date is given for commit f33ea7f404e5 (I did try Google).

Re:

[Aighearach]

Can someone explain this bug in English?

There is a thing called COW (copy on write). There is a bug where worker code can ride the cow over the fence and gain access to the farmer's private yard.

Moral of the story: Don't let people ride your cows, let them find their own darn *nix shell.

Or more literal version: People with user access can get administrator access without permission.

Re: Should have used APPS!

[WarJolt]

Yep. Processes have memory. Memory is divided into pages. Some pages are shared by multiple processes. Initially some pages are marked read only. If the child writes to the page you get a page fault. The fault causes the kernel to make a copy of the page and maps the copy into to the original virtual address space.

Multiple processes may share that original readonly page, so if exploit the bug and write to it then you actually are writing to a page shared by multiple processes.

Re:

[ilsaloving]

Modern app appers know that ONLY apps can app apps, NOT LUDDITE software like LUDDITE Linux, so appy app apps can't be apped by LUDDITE hackers!

You know, you gotta admire his persistence.

He could re-invent the smurfs, except everyone wears hipster clothing and says "apps" instead of "smurf"

Re:

[Anne Thwacks]

what does luddite actually mean?

A follower of Ned Ludd.

Some of Ned's mates smashed up automated weaving looms because they made a lot of weavers redundant. The plot was not very effective.

Eventually, the drop in price of cloth made by automated looms enabled the export of cloth to make England so rich it could afford an Empire*, and even the poor could afford to wear clothes. However, that was after two or three generations of abject poverty.

*Empires cost a lot of money. Sure they make a lot for a fe

Re:

[wierd_w]

Wikipedia is your friend.

I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage. The basic feature was fear of new methods and technologies.

People who subscribed to his ideology were called "Luddites". In more modern parlance, the term refers to anyone who is resistant to adopting new tech.

Re:

[Pseudonym]

I won't spoil it for you, but early in the industrial revolution a man with the lad name "Ludd" started a movement to try and halt the spread of mechanization via acts of sabotage.

The Luddites actually started as a mostly peaceful group demanding decent wages and safe working conditions. There is some dispute as to whether or not Ludd and the story of him smashing the knitting machine after a supervisor criticised his work are real. The group eventually did start sabotaging machines, but contrary to popular belief, they were not, and never were, anti-technology. It was just an industrial dispute that got nasty.

Read the whole sentence. "The fix will be obvious

[raymorris]

The eyeballs quote from Eric S Raymond is about *fixing* bugs. It doesn't say anything like "there will never be a bug". There most definitely WILL be bugs in all software (except the space shuttle software). The end of the sentence is the words "the fix obvious to someone" and a few lines down he says it "can be rephrased as "Debugging is parallelizable''. Linus clarified "Somebody finds the problem and somebody else understands it".

Would he include all of that discussion of how bugs are fixed if he even

Citation needed

[raymorris]

It is unfortunate that it wasn't caught sooner. Do you have *any* reason to believe it was exploited years ago, or that anyone even thought it *could* be exploitable? To my knowledge, it was a crash bug, never considered a security issue until a few days agob