Dirty Frag the new Linux Zero Day that allows you to climb root privileges with a single command

A new zero-day in Linux, baptized as Dirty Frag, allows a local attacker to climb privileges to root in most distributions with a single order, according to researcher Hyunwoo Kim, who has published both documentation and a PoC after the embargo has been broken. The operation chain two separate kernel failures (related to xfrm-ESP and RxRPC) to overwrite protected memory pages and modify system files without authorization; unlike previous failures such as Dirty Pipe or Copy Fail, this attack takes advantage of a different fragmentation field in the kernel logic, making it new and dangerous.

The practical gravity is high Because Dirty Frag is a failure of determinist logic: it does not require complex career conditions, it does not cause kernel panics to fail and PoC report a very high success rate. Although the attack requires local access, this converts to multi-user environments, machines with exposed development accounts, poorly isolated containers and cloud environments shared in high-risk objectives. In addition, the public publication of the explosion before patches amplifies the exhibition window.

So far there is no official CVE for this vulnerability because the embargo was broken; the original information and the author's resources are available in the Openwall communiqué and in the repository with the PoC: Openwall disclosure and Dirty Frag repository in GitHub. Those who manage infrastructure must closely follow the service providers' notices of their distribution and be prepared to apply kernel patches as soon as they are published.

As immediate mitigation the authors propose to block and download vulnerable modules (s4, s6 and rxrpc). The suggested command to create a modprobe rule that prevents its loading and to remove hot-loaded modules is: sh -c "printf 'install es4 / bin / false\ ninstall es6 / bin / false\ ninstall rxrpc / bin / false\ n' > / etc / modprobe.d / dirtyfrag.conf; rmmod es4 es6 rxrpc 2 > / dev / null; true." Attention: This measure disables IPsec and AFS; it should not be applied without assessing the impact on VPNs and dependent services.

While official correction is expected, additional risk reduction measures should be taken: restricting local access to critical systems, revoking unnecessary interactive access, strengthening policies for the isolation of containers and virtual machines, and monitoring signs of escalation (unexpected processes with UID 0, unusual modifications in / etc, dynamic load of modules). Response teams should prepare procedures for isolating and reinstalling committed systems rather than trying to repair them on-site.

It is also important to remember the relationship with recent incidents: the maintainers are still deploying patches for Copy Fail and other privilege climbing failures that have appeared in recent months. The US Cyber Security Agency. U.S. (CISA) is prioritizing these vulnerabilities in its catalogue of exploited vulnerabilities; federal organizations were ordered to mitigate Copy Fail quickly. See the official CISA page for follow-up and applicable orders: CISA KEV Catalog.

From a medium-term defensive perspective, it is appropriate to strengthen containment controls: activate and review SELinux / AppArmor policies, apply namespace isolation and workloads cgroups, use file integrity control mechanisms and EDR that detect climbing behaviors, and prepare alerts for loads or handling of kernel modules. Plan up-to-date kernel deployments in controlled windows and try complete restorations to ensure clean remediation in case of engagement.

For cloud managers and managed suppliers, the immediate recommendation is to coordinate with image and service providers to know the impact on shared infrastructure and to require mitigation and parking tests. Given the local operating pattern and the ease shown by the PoC, the risk window is concrete and short: rapid and coordinated action reduces the likelihood of massive commitments.

Finally, keep off-line copies of critical audit elements and keys, rote credentials of privileged accounts after suspicious activities and subscribe to the official safety lists and channels of their distribution to receive patch updates as soon as they are available; the combination of temporary mitigation, active detection and timely patch is the only practical strategy to neutralize vulnerability with Dirty Frag's characteristics.