Mitigation for Dirty Frag Linux local privilege escalation vulnerability

fln

fln

Administrator
Staff member
Joined
Aug 30, 2021
Messages
1,354
Yes another local privilege escalation vulnerability was recently publicly announced - dirtyfrag.io.

Mitigation does not require server reboot, only making sure kernel modules esp4, esp6 and rxrpc are disabled.

Code: 
: > /etc/modprobe.d/dirtyfrag.conf
echo 'install esp4 /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
echo 'install esp6 /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
echo 'install rxrpc /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null

Note: The esp4 and esp6 modules are used by IPSEC. If your server is using IPSEC unloading them will break the connections over IPSEC or unload operation will fail. Quick check to make sure modules are unloaded - command lsmod | grep -F -e esp4 -e esp6 -e rxrpc should return no results.
 
Last edited:
Did you test the PoC on this?

Doesn't seem to mitigate the issue for me. But maybe I'm doing something wrong. See if other's chime in.
 
Update:

If you've run the PoC before applying the mitigation, then you either need to reboot or drop caches:

echo 3 > /proc/sys/vm/drop_caches

github.com

Mitigation doesn't stop exploit · Issue #1 · V4bel/dirtyfrag

$ cat /etc/modprobe.d/dirtyfrag.conf install esp4 /bin/false install esp6 /bin/false install rxrpc /bin/false $ sudo rmmod esp4 esp6 rxrpc rmmod: ERROR: Module esp4 is not currently loaded rmmod: E...
github.com github.com
 
The PoC seems to have worked on AlmaLinux 8.

I would assume AlmaLinux 9 is vulnerable as well. (and RHEL8 and RHEL9).
 
AlmaLinux 9 vulnerable as well.

Same story though, you either need to drop caches or reboot after applying mitigation steps.
 
I haven't done anything yet for mitigation or whatever but when I run this command on the servers:
lsmod | grep -F -e esp4 -e esp6 -e rxrpc
it gives no result so they are not loaded.

I presume I still need to do the fix.

sparek said:
The PoC seems to have worked on AlmaLinux 8.
Click to expand...
What's a PoC?
 
Hello

Amazon also propose to disable ipcomp4 and ipcomp6.
See here: https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/

However, on my system I don't have "ipcomp4", I have "ipcomp". So I think we also need to blacklist that one.

What if we patch it like this:
echo 'install esp4 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install esp6 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install ipcomp /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install ipcomp4 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install ipcomp6 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install rxrpc /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf

Check if they are already running:
lsmod | grep -E "esp4|esp6|ipcomp|ipcomp4|ipcomp6|rxrpc"

Reboot if they are already running.

Kr
Dries
 
Hello

Another addition

Amazon also proposes to run this after your system is running:
sysctl -w kernel.modules_disabled=1

This prevents loading of additional modules after all services on your system are running.

I am unsure if this is a good idea.

Kr
Dries
 
Patched kernel versions:

  • AlmaLinux 8 is patched in kernel-4.18.0-553.123.2.el8_10 and above
  • AlmaLinux 9 is patched in kernel-5.14.0-611.54.3.el9_7 and above
  • AlmaLinux 10 is patched in kernel-6.12.0-124.55.2.el10_1 and above
  • AlmaLinux Kitten 10 will be patched in the next regular kernel build; see the Kitten repo for the current version
 
You must log in or register to reply here.
Back
Top