A new Linux zero-day vulnerability, known as "Dirty Frag," has been discovered that allows local attackers to gain root privileges on most major Linux distributions with a single command. This vulnerability was introduced roughly nine years ago in the Linux kernel's algif_aead cryptographic algorithm interface and has been found by security researcher Hyunwoo Kim.
A new Linux zero-day vulnerability, known as "Dirty Frag," has been discovered that allows local attackers to gain root privileges on most major Linux distributions with a single command. This vulnerability was introduced roughly nine years ago in the Linux kernel's algif_aead cryptographic algorithm interface and has been found by security researcher Hyunwoo Kim.
Dirty Frag works by chaining two separate kernel flaws, the xfrm-ESP Page-Cache Write vulnerability and the RxRPC Page-Cache Write vulnerability, to modify protected system files in memory without authorization and achieve privilege escalation. This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.
According to Kim, Dirty Frag belongs to the same class as the Dirty Pipe and Copy Fail Linux vulnerabilities, which also exploit the fragment field of different kernel data structures. The vulnerability has yet to receive a CVE-ID for tracking and affects a wide range of Linux distros, including Ubuntu, Red Hat Enterprise Linux, CentOS Stream, AlmaLinux, openSUSE Tumbleweed, and Fedora, which have not yet received patches.
To secure systems against attacks, Linux users can use the following command to remove the vulnerable esp4, esp6, and rxrpc kernel modules: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true". However, this will break IPsec VPNs and AFS distributed network file systems.
The discovery of Dirty Frag comes as Linux distro maintainers are still rolling out patches for "Copy Fail," another root privilege escalation vulnerability now actively exploited in attacks. In April, Linux distros patched another root-privilege escalation vulnerability (dubbed Pack2TheRoot) that had been found after a decade since it was introduced in the PackageKit daemon.
"As with the previous Copy Fail vulnerability, Dirty Frag likewise allows immediate root privilege escalation on all major distributions, and it chains two separate vulnerabilities," Kim said. "Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high."
Dirty Frag demo (Hyunwoo Kim)
"Because the embargo has currently been broken, no patch or CVE exists. After consultation with the maintainers on linux-distros@vs.openwall.org and at their request, this Dirty Frag document is being published," Kim said.
In April, CISA added Copy Fail to its Known Exploited Vulnerabilities (KEV) Catalog, ordering federal agencies to secure their Linux devices within two weeks, by May 15. This type of vulnerability poses significant risks to the federal enterprise and applies mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
"99% of What Mythos Found Is Still Unpatched," said Kim. "The autonomous validation summit will be held on May 12 & 14 to see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop."
Related Articles: CISA says ‘Copy Fail’ flaw now exploited to root Linux systemsNew Linux ‘Copy Fail’ flaw gives hackers root on major distrosRecently leaked Windows zero-days now exploited in attacksNew ‘Pack2TheRoot’ flaw gives hackers root Linux accessMicrosoft releases emergency patches for critical ASP.NET flaw
Advertise with us: