In the core Linux Two vulnerabilities have been identified that are similar in nature to the Copy Fail vulnerability disclosed a few days ago, but affect different subsystems—xfrm-ESP and RxRPC. The series of vulnerabilities has been codenamed Dirty Frag (also referred to as Copy Fail 2). These vulnerabilities allow an unprivileged user to gain root privileges by overwriting process data in the page cache. An exploit is available that works on all current distributions. LinuxThe vulnerability was disclosed before patches were released, but a workaround exists to block the issue.
Dirty Frag covers two different vulnerabilities: the first in the xfrm-ESP module, used to accelerate IPsec encryption operations using the ESP (Encapsulating Security Payload) protocol, and the second in the RxRPC driver, which implements the AF_RXRPC socket family and the RPC protocol of the same name, running over UDP. Each vulnerability, taken separately, allows for root privileges. The vulnerability in xfrm-ESP manifests itself in the kernel. Linux since January 2017, and the vulnerability in RxRPC since June 2023. Both issues are caused by optimizations that allow direct writes to the page cache.
To exploit the vulnerability in xfrm-ESP, the user must have the rights to create namespaces, and to exploit the vulnerability in RxRPC, the ability to load the kernel module rxrpc.ko must be present. For example, in Ubuntu AppArmor rules prohibit unprivileged users from creating namespaces, but the rxrpc.ko module is loaded by default. Some distributions lack the rxrpc.ko module, but namespace creation is not blocked. The researcher who discovered the issue developed a combined exploit capable of attacking the system through both vulnerabilities, making it possible to exploit the issue in all major distributions. The exploit has been confirmed to work in Ubuntu 24.04.4 with kernel 6.17.0-23, RHEL 10.1 with kernel 6.12.0-124.49.1, openSUSE Tumbleweed with kernel 7.0.2-1, CentOS Stream 10 with kernel 6.12.0-224, AlmaLinux 10 with kernel 6.12.0-124.52.3 and Fedora 44 with kernel 6.19.14-300.
As with the Copy Fail vulnerability, the issues in xfrm-ESP and RxRPC are caused by in-place data decryption using the splice() function, which transfers data between file descriptors and pipes without copying, by passing references to elements in the page cache. Write offsets were calculated without proper checks to account for the use of direct references to elements in the page cache, allowing specially crafted requests to overwrite 4 bytes at a given offset and modify the contents of any file in the page cache.
All file read operations retrieve contents from the page cache first. If data in the page cache is modified, file read operations will return substituted data, not the actual information stored on the drive. Exploitation of the vulnerability boils down to modifying the page cache for an executable file with the suid root flag. For example, to gain root privileges, one could read the executable file /usr/bin/su to place it in the page cache, and then substitute their own code into the contents of this file loaded into the page cache. Subsequent execution of the "su" utility will result in the modified copy from the page cache being loaded into memory, not the original executable file from the drive.
The vulnerability disclosure and coordinated release of patches was scheduled for May 12, but due to a leak, the vulnerability information had to be published before the patches were released. In late April, patches for rxrpc, ipsec, and xfrm were posted to the netdev public mailing list without mentioning that they were related to the vulnerability. On May 5, the IPsec subsystem maintainer accepted a change to the netdev Git repository with a proposed fix in the xfrm-esp module. The description of the change was largely identical to the description of the issue that led to the Copy Fail vulnerability in the algif_aead module. A security researcher became interested in this fix, managed to create a working exploit, and published it, unaware that an embargo had been imposed on disclosing information about the issue until May 12.
Kernel patch updates Linux The kernel packages in distributions have not yet been published, but patches that address the issues are available—xfrm-esp and rxrpc. CVE identifiers have not been assigned, which complicates tracking package updates in distributions. As a workaround, you can block the loading of the esp4, esp6, and rxrpc kernel modules: sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"
Source: opennet.ru
