Organisations and individuals have been urged to patch Linux servers immediately or risk falling victim to exploits for a Linux kernel security flaw dubbed ‘Dirty COW'.
This follows a warning from open source software vendor Red Hat that the flaw is being exploited in the wild.
Phil Oester, the Linux security researcher who uncovered the flaw, explained to V3 that the exploit is easy to execute and will almost certainly become more widely used.
"The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8," he said.
"As Linus [Torvalds] notes in his commit, this is an ancient bug and impacts kernels going back many years. All Linux users need to take this bug very seriously, and patch their systems ASAP."
Oester said that he uncovered the exploit for the bug, which has been around since 2007, while examining a server that appeared to have been attacked.
"One of the sites I manage was compromised, and an exploit of this issue was uploaded and executed. A few years ago I started packet capturing all inbound HTTP traffic and was able to extract the exploit and test it out in a sandbox," he told V3.
"These rolling packet captures have proved invaluable numerous times. I would recommend this extra security measure to all admins."
The Dirty COW moniker was applied as a descriptive of the security flaw. "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write [COW] breakage of private read-only memory mappings," Red Hat warned in an advisory published today.
"An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system."
Furthermore, the complexity of the attacks that have been seen in the wild may make it difficult for antivirus and other security software to identify.
"Although the attack can happen in different layers, antivirus signatures that detect Dirty COW could be developed," warned an advisory.
"Due to the attack complexity, differentiating between legitimate use and attack cannot be done easily, but the attack may be detected by comparing the size of the binary against the size of the original binary.
"This implies that antivirus can be programmed to detect the attack but not to block it unless binaries are blocked altogether."
The flaw has been written up in the CVE database.
Computing's Enterprise Security & Risk Management Summit returns on 24 November. Entrance is FREE to qualifying IT leaders and computing professionals, but places are going fast, so register now.
The best Black Friday tech bargains out there
Russell Group slammed for misusing student data in donation campaigns
Linus Torvalds is unhappy with current approaches to Linux security
Bug prevents ASLR from randomising location of important data