Mitigation for Dirty Frag Linux local privilege escalation vulnerability

fln

fln

Administrator
Staff member
Joined
Aug 30, 2021
Messages
1,361
Yes another local privilege escalation vulnerability was recently publicly announced - dirtyfrag.io.

Mitigation does not require server reboot, only making sure kernel modules esp4, esp6 and rxrpc are disabled.

Code: 
: > /etc/modprobe.d/dirtyfrag.conf
echo 'install esp4 /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
echo 'install esp6 /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
echo 'install rxrpc /bin/false' >> /etc/modprobe.d/dirtyfrag.conf
rmmod esp4 esp6 rxrpc 2>/dev/null

Note: The esp4 and esp6 modules are used by IPSEC. If your server is using IPSEC unloading them will break the connections over IPSEC or unload operation will fail. Quick check to make sure modules are unloaded - command lsmod | grep -F -e esp4 -e esp6 -e rxrpc should return no results.
 
Last edited:
Did you test the PoC on this?

Doesn't seem to mitigate the issue for me. But maybe I'm doing something wrong. See if other's chime in.
 
Update:

If you've run the PoC before applying the mitigation, then you either need to reboot or drop caches:

echo 3 > /proc/sys/vm/drop_caches

github.com

Mitigation doesn't stop exploit · Issue #1 · V4bel/dirtyfrag

$ cat /etc/modprobe.d/dirtyfrag.conf install esp4 /bin/false install esp6 /bin/false install rxrpc /bin/false $ sudo rmmod esp4 esp6 rxrpc rmmod: ERROR: Module esp4 is not currently loaded rmmod: E...
github.com github.com
 
The PoC seems to have worked on AlmaLinux 8.

I would assume AlmaLinux 9 is vulnerable as well. (and RHEL8 and RHEL9).
 
AlmaLinux 9 vulnerable as well.

Same story though, you either need to drop caches or reboot after applying mitigation steps.
 
I haven't done anything yet for mitigation or whatever but when I run this command on the servers:
lsmod | grep -F -e esp4 -e esp6 -e rxrpc
it gives no result so they are not loaded.

I presume I still need to do the fix.

sparek said:
The PoC seems to have worked on AlmaLinux 8.
Click to expand...
What's a PoC?
 
Yes I see that link, but didn't remember the short name. Thanks!
I just used the mitigation on all servers, better safe than sorry. :)
 
Hello

Amazon also propose to disable ipcomp4 and ipcomp6.
See here: https://aws.amazon.com/security/security-bulletins/rss/2026-027-aws/

However, on my system I don't have "ipcomp4", I have "ipcomp". So I think we also need to blacklist that one.

What if we patch it like this:
echo 'install esp4 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install esp6 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install ipcomp /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install ipcomp4 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install ipcomp6 /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf
echo 'install rxrpc /bin/false' >> /etc/modprobe.d/cve-copyfail2.conf

Check if they are already running:
lsmod | grep -E "esp4|esp6|ipcomp|ipcomp4|ipcomp6|rxrpc"

Reboot if they are already running.

Kr
Dries
 
Hello

Another addition

Amazon also proposes to run this after your system is running:
sysctl -w kernel.modules_disabled=1

This prevents loading of additional modules after all services on your system are running.

I am unsure if this is a good idea.

Kr
Dries
 
Patched kernel versions:

  • AlmaLinux 8 is patched in kernel-4.18.0-553.123.2.el8_10 and above
  • AlmaLinux 9 is patched in kernel-5.14.0-611.54.3.el9_7 and above
  • AlmaLinux 10 is patched in kernel-6.12.0-124.55.2.el10_1 and above
  • AlmaLinux Kitten 10 will be patched in the next regular kernel build; see the Kitten repo for the current version
 
2026-05-08 15:22 UTC — The patched kernels are now rolling out to production repositories/mirrors. You no longer need to enable the testing repo to get them. Just run:
Code: 
sudo dnf clean metadata && sudo dnf upgrade
sudo reboot
 
A similar update - Fragnesia (CVE-2026-46300) - is coming ...

The good news: because Fragnesia reaches root through the same esp4 / esp6 / rxrpc modules as Dirty Frag, the same mitigation from the Dirty Frag post blocks Fragnesia as well. If you already applied it, you are already protected against this one. There is nothing extra to do until you install the patched kernel.
Click to expand...

Fragnesia (CVE-2026-46300): Patched kernels available in testing

Less than a week after Dirty Frag, researcher William Bowling of the V12 security team has disclosed a third Linux kernel local-root flaw in the same broad code area (IPsec ESP / rxrpc) that they have named Fragnesia, tracked as CVE-2026-46300. The proof-of-concept is published in V12’s pocs...
almalinux.org almalinux.org
 
Haha, in the last couple of weeks I have automated my updates en tests. Bring it on, I think I have updated kernels a 1000 times in the last month and now I'm unstoppable!!! :cool:

I sort of respect the hackers that actually build exploits. A couple of decades ago I remember that exploiting a simple bufferoverflow took days and a lot of surprises and even then it worked only on your own system. Made me laugh when I watched hacker movies where hackers had a minute to hack something with a gun to their head... Impossible, I thought. Well, it took a while but that backfired pretty hard.

But basically... If you happened to know something about a copyfail error or maybe many more, you simply were the uberhacker of hackers and no system was safe. It's actually pretty cool.

I love it that AI is pissing all over the linux code, that runs about all my servers, to find these bugs. Linux is not yet a safe OS and we all know that now. This will make things better.
 
You must log in or register to reply here.
Back
Top