- Researcher Hyunwoo Kim reveals Dirty fragNine-year-old kernel flaw allows root privilege escalation on major Linux distributions
- The exploit chains two page cache write bugs, works reliably without race conditions, and currently has no CVEs or fixes.
- Mitigation requires disabling vulnerable kernel modules, but this breaks IPsec VPNs and AFS, leaving systems exposed until patches arrive.
Some of the most widely used and influential Linux distributions are vulnerable to a zero-day flaw that allows threat actors to gain root privileges, and no patch has yet been made public, experts have warned.
Security researcher Hyunwoo Kim revealed he discovered a nine-year-old flaw and published a proof-of-concept (PoC) exploit.
He named the vulnerability Dirty Frag and explained that it works by chaining together two kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability. This allowed him to modify memory-protected system files without having the proper permission.
Available mitigations
Kim explained that he shared his findings with the maintainers of the various embargoed Linux distributions to give everyone time to update. However, this embargo was apparently lifted on May 7, when a third party published the exploit.
“As the embargo is currently broken, no patches or CVEs exist. After consulting with and requesting the maintainers at [email protected], this Dirty Frag document is being released,” Kim said.
In addition to not having a CVE, the bug has not yet received a severity score. However, since this is an unauthenticated privilege escalation flaw, it can be assumed that it will receive a critical severity rating (9.0 and above).
So far, Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora have all been confirmed to be vulnerable and have not yet received patches.
“As with the previous Copy Fail vulnerability, Dirty Frag also allows for immediate root privilege escalation on all major distributions and chains together two separate vulnerabilities,” Kim said. “As this is a deterministic logic bug that does not depend on a time window, no race conditions are required, the kernel does not panic when the exploit fails, and the success rate is very high.”
Current mitigation includes removal of vulnerable kernel modules esp4, esp6, and rxrpc, but this breaks IPsec VPNs and AFS distributed network file systems.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
