Learn more about this vulnerability present in Linux systems and Android phones

By: Steve Snelgrove
Security Analyst
So you may have heard about the Dirty Cow vulnerability, but what kind of danger does it actually pose? Should you be worried about it?

Here are some things to know about this vulnerability, and what kind of threats it may pose to your business.

What is the Dirty Cow vulnerability? 

This vulnerability is called “Dirty Cow” because it exploits a mechanism called copy-on-write,
allowing an attacker to gain privilege escalation on the Linux kernel.

The Dirty Cow vulnerability can be found in practically every Linux system and was introduced to the core Linux kernel in 2007.  It’s a race condition found in Linux kernel’s memory subsystem.

What does the vulnerability do? 

This vulnerability allows the user to bypass the normal file system protections and write to files that are owned by the system. This opens up many avenues for attack, which results in the unprivileged user becoming rooted in the system and able to access any system resources.
Basically, an unprivileged user can gain full control of a Linux system through a very simple exploit code.

Who is affected? 

Primarily anyone who uses a Linux system and/or an Android phone could be affected. Since this vulnerability has existed since 2007, most, if not all Linux systems have been affected.

Is the Dirty Cow vulnerability dangerous? 

The short answer is yes. With the condition that you have to have a user-level presence on the system.

This bug is a serious vulnerability because it’s so widespread, and if the conditions mentioned above are right, it gives an attacker full control over your system to install malware and steal data. And all this can be done through a very simple exploit code.

The biggest problem is that the vulnerability has been in the Linux kernel for a long time. It’s easy to exploit, and it’s been in millions of computers thanks to the nine years it’s been around.

Another troubling element is the vulnerability is almost impossible for antivirus and security software to detect, and once exploited, there’s no evidence of what actions have been taken.

The good news is that in order to exploit this bug, the attacker must first be able to deliver the code on the system. Before they can even get close to the kernel stack, the attacker has to first gain access to your system. From the outside, normal protections against code execution should prevent exploitation of this vulnerability.

While the risk is very significant, the impact on ordinary users isn’t very high due to the difficulty to get the exploit code on the systems. In terms of web services and other network connected devices, delivering the code would be difficult to do. The real risk is when user-level access exists on a device, as well as the ability to execute programs on the device.

The Dirty Cow vulnerability has the most significant impact on Android phones, which are based on Linux. The situation is different because these phones have apps running as user-level programs. As a result, a malicious app could exceed their privileges to obtain information off the device.

Another problem with Android phones is that older versions likely won’t get a patch update, which could leave your phone vulnerable.

What should I do? 

A patch for the Dirty Cow vulnerability does exist and has been patched in updated versions of Linux.  So if your business uses Linux systems, make sure those systems are patched and updated.

If you use an Android, make sure your phone’s system is being updated regularly. You’ll also want to look out for malicious apps.

Basically, if you have updated your Linux software and if you are up to date on your network firewalls and other measures to protect your systems, you should be fine.

What should SecurityMetrics customers do?

As a SecurityMetrics customer, here’s what you should do:
  • Update all Linux systems/computers
  • Install the patch for the vulnerability if you can’t update
  • Make sure to update all Android phones. 
Lastly, don’t panic. While this vulnerability is serious, it can also be remediated quickly and easily. You should be fine if you make sure your systems are up to date.

Steven Snelgrove (CISSP) has been a Security Analyst at SecurityMetrics for over 7 years. Since 1980, Snelgrove has worked in the computer and telecommunications industry, and has familiarity with programming, software engineering, and network security. His current responsibilities includes the manual assessment of web applications and corporate networks, conducting ethical hacking to analyze security architecture, and consulting with organizations to help remediate issues. Snelgrove received a degree in Computer Science from Brigham Young University, and holds a CISSP (Certified Information Systems Security Professional) certification.