New 'Dirty Frag' Linux Vulnerability Possibly Exploited in Attacks

New 'Dirty Frag' Linux Vulnerability Possibly Exploited in Attacks

Briefly

"Because it is a deterministic logic bug that does not depend on a timing window, no race condition is required, the kernel does not panic when the exploit fails, and the success rate is very high,"

"The vulnerabilities affect the xfrm-ESP (IPsec) and RxRPC components of the Linux kernel, with the greatest impact on hosts that do not run container workloads. In container deployments, an attacker may be able to exploit Dirty Frag to escape a container, but this has yet to be demonstrated, Ubuntu developers noted."

"Copy Fail has been exploited in the wild, and Microsoft reports that Dirty Frag may also have been exploited. According to the tech giant, Dirty Frag can be exploited after attackers gain access to the targeted system, which can be achieved through various means, including compromised SSH accounts, web shell access via internet-exposed applications, abusing service accounts, container escapes to the host environment, or remote access compromise."

"Microsoft said its Defender product has seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail. "After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, a"