Dirty COW Linux vulnerability – what you need to know

Offal bug found in Linux.

Graham Cluley
Graham Cluley
@[email protected]

Dirty cow

What is Dirty COW?
It’s the name given to a newly discovered vulnerability in virtually all versions of the Linux operating system. More accurately it should be referred to as CVE-2016-5195 – but where is the fun in that?

But why Dirty COW?
According to the researchers who found the flaw, and created a website to share information about it:

“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”

Sign up to our free newsletter.
Security news, advice, and tips.

Essentially it means that – if the vulnerability is left unpatched – if a local user can read a file, they can also write to it. Ouch!

So this is a privilege escalation vulnerability, rather than a potentially more dangerous code execution vulnerability?
Right. But don’t let that thought lure you into resting on your laurels, as researchers claim they have found an in-the-wild exploit using the vulnerability.

Okay. Is this a new vulnerability?
Umm.. unfortunately not. Although it has only recently been uncovered, it appears that the flaw has been present in the Linux kernel for going on nine years.

Sheesh.. isn’t the whole point of open source software that it’s available for anyone to review, find bugs, etc…? How come this wasn’t spotted and fixed earlier?
Good question.

Just earlier this week, research was published claiming that Linux bugs have a typical lifetime of approximately five years.

I run Red Hat / Debian / Ubuntu. Where can I find out more about what I should be doing.
That’s easy.

Anything else?
Be sure to check out the official Dirty COW website (yes, they have a website as well as a Twitter account, and the now obligatory vulnerability logo) at http://dirtycow.ninja/

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Dirty COW Linux vulnerability – what you need to know”

  1. coyote

    ‘for going on nine years.’

    Actually it’s eleven years. Also, Linus attempted to fix it (badly as he put it) but there was another problem which made him roll it back (s390 architecture). He explains it all: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

    The fix is actually quite simple but was likely simply forgotten (I know I’ve done this many times before) so once the other problem was resolved this wasn’t.

    Edit: I meant to say: thanks for the ‘offal’ pun.

    Also: ‘So this is a privilege escalation vulnerability, rather than a potentially more dangerous code execution vulnerability?’
    But often the latter (e.g. spawning a root shell) leads to former and depending on the privileges gained it is arguably just as bad.

    1. Jim · in reply to coyote

      Code execution: if you can write to a file owned by root, you could replace, say, the /bin/ping binary with another malicious binary, which you could then run as root. As I understand it.

      1. coyote · in reply to Jim

        The point was very often code execution can lead to privilege escalation i.e. they might as well be the same thing in the end. Also, I would say that privilege escalation (to root) is equally as bad if not worse because if you root the system you can also run that code (not to mention doing a load of other things).

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.