As regular readers of this blog will be well aware, we have a special place in our hearts for proper vulnerabilities with their own funky name, logo, the works.
Not only does it make ideas for this piece easier, these named and shamed issues nearly always exploit an error in ages-old code, often on Unix systems, fulfilling a prophecy by our in-house sage back in the day.
This week’s announcement is no exception. Phil Oester who currently works at ‘Internet Brands’ and was formerly at Sony Online Entertainment where presumably he had visibility of some very nasty business, has dug up a bug in the Linux Copy On Write memory handling subsystem (COW, geddit?), which enables an attacker to write to read only memory and thereby elevate their privileges to a terrifying godlike status.
Now named Dirty Cow (love it!), this vulnerability appears to have been around for nearly ten years. DC is effective against many versions of RedHat, Debian and Ubuntu, exploit code has been published, and Mr Oester claims to have seen it in the wild. Ouch.
The boring kennel club name is: CVE-2016-5195
You can read the original announcement here.
And you can read the bug’s very own fanboi site, which very helpfully to all the “give it a go” scripters out there includes the sample code, here.
Clearly if you are running RedHat, Debian or Ubuntu, you should go to the provider’s pages and implement the recommended remediations as they become available.
We will be looking at our internal systems and will be advising our customers to keep a careful eye on the vendor sites. You should also check your Clowd (sorry) Service Providers to ensure they are covering this off as well.
The reach of this bug may well spread as more systems are tested, including systems with an embedded Linux image, we will endeavour to keep you informed. We can assure you that although MAC OS X has had plenty of overwrite nasties in the past, both memory and file, it is not vulnerable to this due to its different parentage.
If you would like to discuss dirty cows, or any other dangers, do contact us at: [email protected] or call us on 020 7517 3900.
