Dirty Sock and Dirty Cow: A deep dive into two computer security vulnerabilities

  • Dirty Sock vulnerability, tracked as CVE-2019-7304, was first noticed in January 2019.
  • Dirty Cow vulnerability (CVE-2016-5195) is a privilege escalation vulnerability that affects all Linux-based systems, including Android devices.

A new type of privilege escalation vulnerability named ‘Dirty Sock’ has surfaced recently in the cybersecurity threat landscape. While the impact due to the vulnerability is not quite widespread, researchers have observed that the flaw can be abused to gain a foothold on unpatched systems.

About Dirty Sock vulnerability

The vulnerability, tracked as CVE-2019-7304, was first noticed in January 2019, by Chris Moberly, a security researcher from The Missing Link. It primarily impacts Ubuntu operating system and other Linux distros.

Once exploited, this local privilege escalation vulnerability can let attackers create root-level accounts by gaining complete control over the entire OS. The vulnerability actually exists in the Snapd daemon which is included by default in all recent Ubuntu versions and in some Linux distros.

The malicious code to abuse the vulnerability can be run directly on an infected host or can be hidden inside malicious snap packages.

About Dirty Cow vulnerability

Dirty Cow vulnerability (CVE-2016-5195) is also a privilege escalation vulnerability that affects all Linux-based systems and Android devices. The flaw existed since 2007, although it was only discovered and exploited in late 2016. It gets its name from the copy-on-write (COW) mechanism in the kernel’s memory management system.

Once exploited, the flaw can enable attackers to gain root privileges and perform malicious activities. This includes modifying system files, deploying keyloggers, accessing personal data stored on the device etc.

Dirty Cow affecting Android devices

ZINU is the first malware to exploit Dirty Cow vulnerability. The malware can impact all operating systems before Android 7.0 Nougat. ZINU spreads via malicious apps. Once these apps are launched, they install the malware which later communicates with the C2 server to receive further commands. Then, the malware exploits the Dirty Cow vulnerability to gain access to super-user permissions.

According to a report from Trend Micro, over 300,000 malicious apps carrying ZINU were spotted affecting users across 50 countries including China, India and Japan in 2017. Most of these apps disguised themselves as adult apps and games.

Security patches have been released in order to mitigate these flaws. The Dirty Cow vulnerability has been patched in kernel versions 4.8.3, 4.7.9, 4.4.26 and newer. To check your current kernel version number, you can use the command ‘uname - r’ on your Linux-based system.

Canonical also released security updates to fix the Dirty Sock vulnerability in Ubuntu Linux OS. Security updates are also available for other Linux distros that use Snapd such as Debian, Arch Linux, OpenSUSE, Solus, and Fedora.