What is the Dirty COW exploit, and how to prevent it

Dirty COW, a seemingly light-hearted name, masks a severe Linux privilege escalation issue. This bug has affected many older Linux systems, which is concerning given that 41% of web servers run on Linux. 

Despite widespread patches in distributions like Ubuntu and Red Hat, Dirty COW remains a threat, particularly to outdated systems. As a significant security flaw, it poses risks to various devices and servers even in 2024. 

In 2023, this vulnerability was exploited in a notable cyber attack on Magento 2 eCommerce sites, showcasing Dirty COW’s continued threat to systems, especially those with outdated Linux kernels. More on this below.

Now to the critical question – are you at risk? If so, how can you protect yourself from Dirty COW?  

What is the Dirty COW exploit?

Dirty COW (assigned CVE-2016-5195) is a privilege escalation vulnerability in some versions of the Linux Kernel that affects Linux and Android systems that run versions of the Linux Kernel predating 2018.

By exploiting the Dirty COW vulnerability, attackers gain write access to otherwise read-only memory mappings. This enables them to elevate their account privileges in the system by, for example, overwriting a user’s UID in /etc/passwd or making changes to existing setuid files to include instructions to elevate privileges.

Disclosed in October 2016, the Dirty COW vulnerability lurked in the code of the popular operating system core since 2007. At the time of disclosure, this vulnerability affected most Linux distributions and kernel versions. The distributions affected included:

• CentOS Linux 7.x
• CentOS Linux 6.x
• CentOS Linux 5.x
• Debian Linux wheezy
• Debian Linux jessie
• Debian Linux stretch
• Debian Linux sid
• Ubuntu Linux precise (LTS 12.04)
• Ubuntu Linux trusty
• Ubuntu Linux xenial (LTS 16.04)
• Ubuntu Linux yakkety
• Ubuntu Linux vivid/ubuntu-core
• Red Hat Enterprise Linux 7.x
• Red Hat Enterprise Linux 6.x
• Red Hat Enterprise Linux 5.x
• SUSE Linux Enterprise 11
• SUSE Linux Enterprise 12

One of the only privilege escalations exploits to be adopted by the community, the Dirty COW exploit derives its name from the kernel feature it exploits – copy-on-write (COW).

The vulnerability plagued the Linux kernel since version 2.6.22 (which was released in September 2007), but has been since patched in versions 4.8.3, 4.7.9, 4.4.26, and newer of the Linux kernel. That said, there is ample evidence of Dirty COW employed by malefactors in the wild to take over unpatched servers, even though the execution of the exploit in itself leaves no trace in web server logs. It also serves as a component in Android malware discovered in the wild.

How the Dirty COW exploit works

The Dirty COW exploit is a case of a race condition vulnerability exploitation. In this case, attackers took advantage of the root permissions the kernel gets when running and created the race condition that enabled the privilege escalation from a low-level user to a user with full root privileges.

What is a race condition?

When a running software program encounters multiple code paths that execute concurrently, it can “confuse” the software and create a “race” between the code paths, causing them to conclude in a different order than anticipated, thus resulting in bugs and unexpected application behavior.

In the case of the Dirty COW exploit, the race is between two operations: one operation writing to COW memory mappings and another continuously disposing of them. When these operations repeat non-stop, the kernel can be confused into writing data to read-only memory mappings instead of first creating a private copy of the data. Alternatively, the target system will crash.

If you want to dive into a blow-by-blow description of the exploit, Dirty Cow Demo offers a great visual explanation that details how Dirty COW tricks the kernel into letting it write to read-only memory mappings.

Examples of the Dirty COW exploit

The basic “In the Wild” Dirty Cow exploit is a building block for multiple POCs you can download and test. With the ability to write data to read-only memory, you can:

• Give a user root privileges by overwriting /usr/bin/passwd or a suid binary.
• Allow a user to write to read-only files.
• Give a user root privileges by replacing /etc/passwd.
• “Run and pwn”, as the documentation says, with an exploit that generates a new password hash on the fly and modifies /etc/passwd automatically.

Why should you care about the Dirty COW exploit in 2024?

Although it’s a patched Linux kernel bug, attackers continue to use it in their activities. This ongoing threat makes it important to be aware of Dirty COW, even years after its initial discovery and patching.

In mid-2023, Akamai’s security team found that attackers targeted eCommerce sites using Magento 2. The attack, named Xurum and traced to Russia, used the Dirty COW exploit for privilege escalation on Linux servers. This approach was effective on servers running outdated, unpatched kernel versions.

Cyberattackers often use a trial-and-error method to exploit known vulnerabilities, even if they’ve been patched. They focus on these weaknesses because unpatched vulnerabilities remain a major issue in enterprise IT and DevOps. These unpatched issues contribute to about 60% of all data breaches, highlighting their significance in cybersecurity.

How to Prevent Dirty COW Exploit Attacks

The Dirty COW exploit is dangerous, but it’s easy to defend against, especially if you haven’t patched the vulnerability for a while, or practiced security hardening.

But how exactly do you defend against and prevent Dirty Cow exploit attacks? Here are the top 3 things you can do.

1. Protect against code execution through secrets exposure

To protect against the CVE-2016-5195 vulnerability – aka Dirty COW – it’s vital to control server access and permissions. This exploit requires the attacker to have the ability to write and execute code on the system. 

Ensuring that proper access controls and credentials are in place is a key defense. Problems like secrets sprawl – which is the uncontrolled distribution and exposure of sensitive information like passwords, API keys, and credentials across a system – can be the gateway for Dirty COW exploits to occur. 

Tools that perform automated scanning for exposed secrets like Spectral can help mitigate secrets sprawl. How? Maintaining robust access controls and credentials management prevents unauthorized code execution and system compromise.

2. Scan your IaC and Containers

To safeguard containerized applications from Dirty COW exploits, it’s important to regularly scan your Infrastructure as Code (IaC) and containers. Dirty COW can modify read-only data even within containers. You can automate this process by checking the kernel version in your CI/CD security pipeline. 

You can automate the discovery of servers and containers vulnerable to Dirty COW by simply checking the kernel version of the image file you intend to deploy as part of your CI/CD pipeline. If you use Tools like Ansible, offer scripts to check for Dirty COW vulnerabilities. 

3. Automate kernel patching

Automating kernel patching is key in responding to vulnerabilities like Dirty COW. Initially, manually patching affected systems as soon as a fix is available is essential. However, manual patching can be repetitive and time-consuming. The better approach is automated live patching. Many Linux distributions offer this service to their enterprise customers. 

For example, Ubuntu’s Livepatch service automatically applies security patches without rebooting the system. This method ensures your systems are always up-to-date, reducing the risk of security breaches.

Mitigating the risk of the Dirty COW exploit and others with Spectral

The Dirty COW may be old, but that doesn’t stop malefactors from trying to milk it for privilege escalation execution on compromised systems. Moreover, it has inspired and served as a base for countless POCs and other dangerous exploits like Dirty PIPE.

The story of the Dirty COW vulnerability, its severity, and the length of time it spent lurking in the shadows of the Linux kernel code before it was fixed make one thing crystal clear: scanning your code and infrastructure for third-party vulnerabilities is vital to the delivery of secure code and applications.

Spectral detects the Dirty COW and other exploits that may be present in your systems and provides a centralized and contextual view of all the vulnerabilities that may impact your application and infrastructure. The Dirty COW exploit detection script is just one of over 2000 customizable vulnerability detectors that come bundled into the Spectral platform, empowering your DevSecOps teams with auto-remediation and actionable mitigation suggestions. Request a demo today.