Dirty Frag Sequel Continues the Streak of Linux Kernel Privilege Escalation Vulnerabilities

Fragnesia, the latest local privilege escalation vulnerability in the same family as Dirty Frag, emerges as an “unintended side effect of one of the patches addressing the original Dirty Frag vulnerabilities” according to the original creator of Dirty Frag, Hyunwood Kim.

This vulnerability is another logic flaw, meaning there’s no need for attackers to exploit memory safety issues or race conditions, it’s just a problem with how the program runs normally.

The vulnerability was discovered by William Bowling with the V12 team.

Unlike Dirty Frag, Fragnesia requires no host-level privileges.

Fragnesia also doesn’t touch files on the disk, it only modifies the in-memory page cache, so file-integrity monitoring is useless against it.

AppArmor, such as what’s enabled by default in Ubuntu, may serve as a partial mitigation and require extra steps to successfully exploit a machine.

As always, the recommendations are to install patches from your Linux distribution as quickly as possible as they’re being shipped.

The flaw lies in the same XFRM ESP-in-TCP subsystem as Dirty Frag.

According to Microsoft Threat Intelligence, the exploit corrupts the “page cache memory of the /usr/bin/su binary, which in turn leads to launching a shell with root privilege.”

Fragnesia isn’t constrained to the su binary, though. “[I]t can modify any file readable by the user, including /etc/passwd.”

Microsoft’s recommendations are to disable esp4, esp6, and related XFRM/IPsec functionality, restrict unnecessary local shell access, harden containerized workloads, and increase monitoring for abnormal privilege escalation activity.

The Register describes the situation quite nicely:

The Linux networking stack is starting to look less like infrastructure and more like a root exploit vending machine.

It’s hard to disagree. When so many severe vulnerabilities of the same class appear in such quick succession, this one even allegedly caused by a patch of a previous vulnerability, it starts to look like a systemic failure.