RED HAT has warned of a security flaw in the Linux kernel, dubbed 'Dirty COW', that has been present for almost a decade and which is now being exploited in the wild.
Phil Oester, the Linux security researcher who uncovered the flaw, explained to the INQ that the exploit is easy to execute and will almost certainly become more widely used.
"The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.
"As Linus [Torvalds] notes in his commit, this is an ancient bug and impacts kernels going back many years. All Linux users need to take this bug very seriously, and patch their systems ASAP."
Oester said that he uncovered the exploit for the bug, which has been around since 2007, while examining a server that appeared to have been attacked.
"One of the sites I manage was compromised, and an exploit of this issue was uploaded and executed. A few years ago I started packet capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox," he told the INQ.
"These rolling packet captures have proved invaluable numerous times. I would recommend this extra security measure to all admins."
The Dirty COW moniker was applied as a descriptive of the security flaw. "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings," Red Hat warned in an advisory published this week.
"An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."
The Red Hat advisory suggested that the complexity of the attacks seen in the wild may make it difficult for antivirus and other security software to identify malware attempting to exploit the flaw.
"Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed," said the advisory.
"Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary.
"This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether."
Security professionals should, for the time being, use the security flaw to set up honeypots in order to identify how attackers might be trying to exploit the flaw.
The flaw has been written up in the CVE database. µ
One step ahead again
Gets moved to add-on store
Inspired a generation to make science from bobbins (sometimes literally)
Are advertised to go undetected by body orifice security scanners in prisons