Dirty Frag: New Universal Linux Local Privilege Escalation Vulnerability Disclosed
A new local privilege escalation (LPE) vulnerability in the Linux kernel, named 'Dirty Frag,' has been revealed less than two weeks after the Copy Fail vulnerability. Discovered by researcher Hyunwoo Kim, Dirty Frag allows unprivileged local users to escalate to root privileges on most major Linux distributions. The vulnerability stems from an embargo breach, resulting in public exploit code availability but no assigned CVE identifier. It chains two sub-vulnerabilities involving xfrm-ESP and RxRPC page-cache writes, exploiting in-place crypto operations on zero-copy send paths. This affects kernels dating back to 2017 and poses significant risks, including potential container escapes. Unlike Copy Fail, which targets the AF_ALG interface, Dirty Frag exploits ESP and RxRPC decryption fast paths. Immediate mitigation involves denylisting vulnerable kernel modules (esp4, esp6, rxrpc), though this may disrupt IPsec VPNs or AFS filesystems. System administrators are urged to assess impacts and apply live patches where available, such as those from CloudLinux KernelCare, while waiting for official distribution updates. The lack of a CVE ID complicates automated tracking, necessitating manual vigilance from system owners to prevent exploitation.
Wire timeline
Dirty Frag: New Universal Linux Local Privilege Escalation Vulnerability Disclosed
A new local privilege escalation (LPE) vulnerability in the Linux kernel, named 'Dirty Frag,' has been revealed less than two weeks after the Copy Fail vulnerability. Discovered by researcher Hyunwoo Kim, Dirty Frag allows unprivileged local users to escalate to root privileges on most major Linux distributions. The vulnerability stems from an embargo breach, resulting in public exploit code availability but no assigned CVE identifier. It chains two sub-vulnerabilities involving xfrm-ESP and RxRPC page-cache writes, exploiting in-place crypto operations on zero-copy send paths. This affects kernels dating back to 2017 and poses significant risks, including potential container escapes. Unlike Copy Fail, which targets the AF_ALG interface, Dirty Frag exploits ESP and RxRPC decryption fast paths. Immediate mitigation involves denylisting vulnerable kernel modules (esp4, esp6, rxrpc), though this may disrupt IPsec VPNs or AFS filesystems. System administrators are urged to assess impacts and apply live patches where available, such as those from CloudLinux KernelCare, while waiting for official distribution updates. The lack of a CVE ID complicates automated tracking, necessitating manual vigilance from system owners to prevent exploitation.
SANS Internet Storm Center, InfoCON: green