Another huge Linux vulnerability is here. This is how you can protect yourself
"Dirty Frag" was leaked before distribution maintainers could issue a patch, so it's out there for whoever to abuse right now.
A vulnerability allowing normal users to gain root privileges was publicly disclosed Thursday. Following on the heels of Copy Fail, this one is called "Dirty Frag," and it affects all Linux distributions.
Happening now
In short: Security researcher V4bel explained the way Dirty Frag works in a long document posted to GitHub. The vulnerability chains known page cache exploits to elevate a normal user to root privileges without the root password.
Importantly, exploiting this vulnerability requires access to a user account on Linux machine. That means if you aren't letting untrustworthy people log into your device, be it in-person or remotely, then you don't need to worry about it.
If you do allow remote access to your machine from strangers, you probably want to address the issue as soon as possible.
Fixing it now
At the time of writing, there's no patch generally available in any mainstream kernel distributions, though Alma Linux has issued an early patch in testing. This will take time for developers to publish and distribute.
In the meantime, you can run this script from oss-security, which disables the relevant kernel modules:
sh -c "printf 'install esp4 /bin/false\ninstall esp6 /bin/false\ninstall rxrpc /bin/false\n' > /etc/modprobe.d/dirtyfrag.conf; rmmod esp4 esp6 rxrpc 2>/dev/null; true"Anecdotally, I ran the script on my Kubuntu laptop and it didn't cause any issues.
Zooming out
The background: You might be wondering at this point why the vulnerability has been disclosed by a security researcher before patches could be issued. It sounds like an unnamed third party leaked the vulnerability today, and the researcher along with distro developers decided it was best to get ahead of the problem by sharing the information. As explained in the disclosure timeline:
Detailed information and the exploit for the esp vulnerability were published publicly by an unrelated third party, breaking the embargo.
Why this announcement matters: Dirty Frag affects every Linux distribution, including kernel 7.0 and above. It comes shortly after the Copy Fail vulnerability, which affected every kernel since 2017 until kernel 7.0. This one is even more wide-ranging.
Jordan Gloor
Diving in
Go further: You can get the technical details at DirtyFrag.io for more details.
Thanks to Phoronix for pointing this out.
