Symantec Data Center Security Server Advanced (DCS:SA) formerly know as Critical Systems Protection(CSP) blocks the Dirty COW exploit. The protection for this attack vector have been in the prevention policies since 2005 so all version of DCS:SA and CSP offer the protection by default. Additionally a targeted prevention policy can be created to either monitor or block this specific Linux vulnerabilty.
Exploit Analysis and Proof of Concept Testing:
The vulnerability is an underlying programming bug in the in the copy-on-write (COW) mechanism found in the Linux kernel and when exploited provides privilege escalation. The nature of the flaw is that programs can set up a race condition to modify what should be a read-only file that is mapped into memory and then persist those changes to storage. The scope of the impact is that a non-privileged user can alter root-owned files and executables and thus effectively own the system. The ease with which this vulnerability, introduced in 2007, can be exploited on such a wide range of Linux systems make this of particular concern to customers. More information can be found at (https://dirtycow.ninja/) and the proof of concept code is currently hosted on GitHub (https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs).
The exploit proof of concept code was compiled, executed and successfully tested on an unprotected Ubuntu host using a non-privileged user account. The same attack was executed with a DCS:SA agent on the host with the default Unix protection policy applied and the exploited failed. The agent prevented the key step in the exploit from running which is opening the logical file /proc/self/mem with read and write access (where self is actually a process id). By default the DCS:SA Unix Policy does not allow write access to these /proc files as this is deemed unusual and undesirable behavior.
Below is subset of the event/alert attributes captured for this Dirty COW POC exploit.
Description File Write Denied for tst.out on /proc/2957/mem
User Name pjc
Process /home/pjc/Downloads/tst.out
File Name /proc/2957/mem
Disposition Denied
Operation open
SDCSS Result 0000000D (Permission denied)
Permissions Requested 00000003 (read, write)
The test was re-run using the root account and the exploit was stopped again (as the behavior is still unusual and undesirable even for a root user).
A quick automated test script was then run across all Unix Policy containment sandboxes to verify that this exploit would be stopped for system processes such as crond, applications such as Apache and the DCS agent. All were prevented from accessing the key resource (/proc/self/mem) for write-access necessary for the exploit to work. The test also confirmed that unprotected applications such as those the customer may have specifically excluded from DCS protection features (usually provisioning tools) or general daemons not in the OOTB content would allow the exploit to succeed. However this attack space is a much smaller sub-set and also requires additional exploits at these targeted apps prior to a Dirty COW style exploit being run. DCS already provides system wide protection to stop these other threat vectors.
Customer Considerations
The customer can choose to mitigate the small set of unprotected use cases noted above by adding a read-only rule for the file path /proc/*/mem to the default Unix Policy for either
- specific applications,
- unprotected sandboxes (covering all the applications in the sandbox), or
- as a global rule applicable to all applications
DCS customers who are only monitoring security can use DCS to detect if the Dirty COW exploit executes across on all their Linux systems in a matter of minutes by quickly deploying a targeted prevention policy in monitor only mode by incorporating the same read-only file rule noted above (this does require that the Host IPS feature is enabled on the agent).
Stay Tuned
We will be updating this blog to include demo video of the exploit and protection and provide targeted prevention policy for those that want to monitor or protect their servers from this vulnerabilty.