New Dirty-Frag Exploit Targets Linux Kernel: Serious Memory Flaw Grants Root Access

Discovery of the Copy Fail Linux kernel exploit sparked widespread discussion and concern around Linux kernel security earlier this month, and that was for an exploit that had mostly already been patched by the time the public was made aware of it. Unfortunately, a similar follow-up Linux Kernel exploit has risen up to take Copy Fail's place, and Dirty Frag has now been disclosed ahead of any mitigation patches, making it a more dangerous exploit for real-world scenarios until formal patches are released. That's the bad news; the good news is that users of affected distros can already take measures to manually remove the weakness Dirty Frag exploits for themselves.


So, what exactly is Dirty Frag, and what connects it to Copy Fail? The researchers who discovered it, V4bel and Nriver on GitHub, explain that "Copy Fail was the motivation for starting this research. In particular, [the page cache write] in the Dirty Frag vulnerability chain shares the same sink as Copy Fail. However, it is triggered regardless of whether the algif_aead module is available. In other words, even on systems where [Copy Fail mitigation] is applied, your Linux is still vulnerable to Dirty Frag."

Spooky! Fortunately, mitigation ahead of any patches is thankfully dead simple. Per the original GitHub page, a user need only "use the following command to remove the modules in which the vulnerabilities occur and clear the page cache."

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; echo 3 > /proc/sys/vm/drop_caches; true"

Running that command within your Linux distribution of choice will disable the vulnerable modules. To regain full system functionality, users will need to wait for a formal patch to safely run Linux with those modules without opening themselves up to Dirty Frag.

It's an unfortunate time for Linux kernel security, but fortunately Copy Fail is already effectively patched and Dirty Frag can be manually mitigated with just one long console command. No other major Linux kernel exploits are in known circulation, so system admins and enthusiasts can rest easy once the above Dirty Frag mitigation has been applied.

It still goes to show that admins should be careful with who is given system access, though: more exploits like these, able to gain full root (system admin) access from user space, are sure to come in the future. Whether or not those exploits matter when that day comes depends on who you trust with access to your Linux server, and mitigations (including backups, etc) you may have available if an authorized user or guest goes rogue.

Image Credit: maskimko on Pixabay