Dirty Decrypt Linux Root Escalation Flaw Exploit Uncovered
Linux Kernel Vulnerability Allows Root Access Through DirtyDecrypt Flaw
A previously patched Linux kernel vulnerability, known as DirtyDecrypt or DirtyCBC, has received a proof-of-concept exploit, allowing attackers to gain root access on certain Linux systems.
Background and Affected Systems
The flaw was identified in the Linux kernel’s rxgk module and affects systems with the CONFIG_RXGK configuration enabled. Researchers at V12 discovered and reported the issue, which was later confirmed to be a duplicate that had already been patched in the mainline Linux kernel.
According to V12, the flaw arises from a missing COW (Copy-on-Write) guard in the rxgk_decrypt_skb function.
Exploitation and Mitigation
- To exploit this vulnerability, an attacker must run a Linux kernel with the CONFIG_RXGK configuration option enabled, which supports RxGK security for the Andrew File System (AFS) client and network transport.
- This limits the attack surface to Linux distributions that closely follow the latest upstream kernel releases, such as Fedora, Arch Linux, and openSUSE Tumbleweed.
- V12 has successfully tested the proof-of-concept exploit against Fedora and the mainline Linux kernel.
- The exploit belongs to the same vulnerability class as several other root-escalation flaws, including Dirty Frag, Fragnesia, and Copy Fail.
- Users on potentially affected Linux distributions are advised to install the latest kernel updates as soon as possible.
- Those who cannot immediately patch their devices should use the same mitigation strategy employed for Dirty Frag, which involves modifying the /etc/modprobe.d directory and removing specific modules. However, this mitigation will also disable IPsec VPNs and AFS distributed network file systems.
Recent Developments and Recommendations
- Recent reports have indicated that attackers are actively exploiting the Copy Fail vulnerability in the wild.
- The Cybersecurity and Infrastructure Security Agency (CISA) has added Copy Fail to its list of flaws exploited in attacks and has ordered federal agencies to secure their Linux devices within two weeks.
- This vulnerability highlights the importance of regular software updates and timely patching to prevent exploitation by attackers.
