Important - "Dirty Frag" Linux root exploit - Enhance Control Panel

Important - "Dirty Frag" Linux root exploit

Adam

We have recently been made aware of another root exploit found in the Linux kernel. We have verified the PoC on a server running Ubuntu 24.04 and 6.8.0-111.

https://github.com/V4bel/dirtyfrag/tree/master

This is very new and was disclosed earlier than planned so there is no kernel patch and we're potentially a long way from an updated kernel package being released by Ubuntu.

The mitigation suggested at the above url appears to work and I would recommend applying it to all servers immediately. It will break IPsec and AFS (distributed file system). If you're not familiar with those technologies, you are not using them.

From the above link:

sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"

I would suggest to reboot after applying the mitigation if possible.

cPFence

Adam

Thanks! , what a week for server admins… this should be called the week of vulnerabilities. We’ve had several serious issues appear back-to-back in just a few days.

webnestify

Damn Mythos...

net

webnestify This was discovered by researcher Hyunwoo Kim. This is worse than "Copy Fail".

Adam

Warning - if you run the PoC then you must reboot after applying the mitigation. Otherwise it will continue to be exploitable.

presswizards

Wow, another one. Thanks for sharing, very helpful.

JohnBee

Anyone know if this is specific to Ubuntu - ie, contrasting with Debian etc?

AnthonyR

JohnBee It's a universal linux exploit that works on the Kernel itself. It is exploitable on all Linux distros.

Adam

It's very likely to be exploitable on Debian.

danfaulknor

Just tested on Debian 13 and it is exploitable.

xyzulu

Make up your own minds, but a way to stop this before a reboot is mentioned here: https://github.com/V4bel/dirtyfrag/issues/1#issuecomment-4401682989

Drop page caches to have it effected at runtime
sudo echo 3 > /proc/sys/vm/drop_caches

Keep in mind this was a hurriedly released patch.. so while it's vital to patch, there will be more information and fixes related to this most likely released by Ubuntu asap.. I imagine (there should be) at least a blog post in the next 24hrs.

Josh

Once again, thanks for sending an email out and making a write up! Very happy with the support from Enhance vs what I've been seeing with other companies recently.

Adam

We've been asked a few times whether the Enhance per-website containerisation offers any protection from this.

It's true that escalation to root by a customer or through a compromised CMS (WordPress, etc) would be limited to the website container. However it could potentially be chained with a different exploit to allow breakout from the container. Or a different remote code execution bug in a non-Enhance service (for example in Apache) could be used to deliver the local privilege escalation payload.

Therefore this exploit and other similar exploits should be handled with the utmost urgency by applying the mitigation and updating to the latest kernel as soon as it is released by Ubuntu.

WebGee

That's what has been mention by Adam simply.

Dieter

It would be nice if they could give us a break for at least one weekend. This week has been the sysadmin's 9/11

pratik_asabe

Another already! great!!

enhance_dan

Ubuntu's official blog post is here now https://ubuntu.com/blog/dirty-frag-linux-vulnerability-fixes-available

Thanks @Adam once again for bringing these vulnerabilities to your customers' attention. 🙂