Researchers Warn of an Easily-Exploitable Privilege Escalation Vuln in Linux: Copy Fail

Security researchers have warned of a local privilege execution vulnerability in the Linux kernel, exploitable via a small Python script across a wide variety of distributions — and affecting kernel versions stretching back to 2017: Copy Fail.

"Most Linux LPEs [Local Privilege Execution vulnerabilities] need a race window or a kernel-specific offset. Copy Fail is a straight-line logic flaw — it needs neither," a team from security firm Xint explains of the issue. "The same 732-byte Python script roots every Linux distribution shipped since 2017. If your kernel was built between 2017 and the patch — which covers essentially every mainstream Linux distribution — you're in scope."

The issue at hand: a problem with a part of the kernel designed to allow applications to accelerate cryptographic operations, which can be abused to make changes to cached files in-memory — in the case of the proof-of-concept exploit shared by the Xint researchers, modifying the su binary to no longer require that a user authenticates themselves before dropping them into a root shell with complete control over the whole system.

"The write bypasses the VFS [Virtual Filesystem] path entirely; the corrupted page is never marked dirty," the researchers explain of how stealthy the attack can be, which makes changes to files the user would normally have no permissions to access. "Nothing hits disk — on eviction or reboot, the cache reloads clean and a forensic disk image shows the original file."

The vulnerability itself has existed in the Linux kernel since 2017, and while the researchers privately notified the maintainers a month before publication many distributions have yet to ship a patched kernel. As a result, mitigation is required: removing the affected kernel module with rmmod algif_aead is enough to block exploitation on a running system, though the module will also have to be blacklisted to prevent load on reboot. For most systems, the researchers say, disabling the module will not cause any problems — though programs that rely on its presence and which are not configured with a userspace fallback may crash.

More information is available on the copy.fail website; those running a Linux distribution are advised to keep checking for updated kernels and/or mitigation updates and install them as soon as they are available.