Dirty COW patch: flaw detected

by Jake Doevan - -

The original patch for the infamous bug in Dirty COW enabled an adversary to run local code on infected systems and quickly perform an escalation attack.

Dirty Cow Patch

The glitch in the Dirty COW patch, CVE-2016-5195 was first revealed in October 2016. The security provider Bindecy identified the patch and also released the details of the original Dirty COW patch bug, CVE-2017-1000405.

However, the original Dirty COW bug affected a wide range of Linux distributions and the Android operating systems.

Daniel Shapiro, a security researcher at Bindecy[1] indicated:

“In terms of scope, the difference is just that the current bug is not applicable to Android and Red Hat Enterprise Linux. All other distributions – Ubuntu, Fedora, SUSE – suffer from the issue. So, the scope is still large. We estimate that millions of machines are vulnerable.” 

The original bug in Dirty COW was patched in October last year once it was disclosed in public exploits. The vulnerability was detected in the copy-on-write also known as COW feature in Linux operating system and could empower a hacker to obtain privileges on any device that runs on Linux or Android.

The security researcher stated that The October 2016 patch included both regular pages and transparent huge pages.[2]

There is a code flow that wasn’t taken into account that breaks the logic of the patch for transparent huge pages. In the original vulnerability, the exploit targeted pages backed by read-only files, with the new bug we could write to a read-only special huge-page called ‘zero page’. It is assumed to be initialized with zeroes and some software rely on that assumption (including privileged processes).

Ben Yaakov, a technical at Bindecy provided a detailed description of the vulnerability and the flaw in the patch. To sum up he wrote:

“This bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other past cases show, even hyped vulnerabilities may get incomplete patches.”

According to a description of mitigations steps:[3]

It is possible to prevent the zero page from being mapped as a huge page, by modifying a configuration tunable in the /sys directory… This prevents the flaw from being exercised in this method. # echo 0 > /sys/kernel/mm/transparent_hugepage/use_zero_page Disabling huge pages: It is possible to mitigate this flaw by disabling hugepages on a system.

In addition, the researchers at Bindecy ended with the statement that, “The real deal here is the astonishing fact that such a hyped vulnerability was patched incompletely.”[4]


About the author

Jake Doevan
Jake Doevan - Computer security guru

Jake Doe is a security expert and news editor of Reviewedbypro.com. His major is Communication and Journalism, which he obtained from the Washington and Jefferson College.

Contact Jake Doevan
About the company Esolutions


now online
Like us on Facebook