‘Dirty Frag’ Linux flaw one-ups CopyFail with no patches and public root exploit

Posted onAuthorCyber Security Review

Broken disclosure embargo left admins facing a fresh root-level flaw with no CVE

A fresh Linux privilege escalation bug dubbed “Dirty Frag” has dropped into the wild with no patches, no CVE, and a public exploit that hands attackers root access across major distributions.Security researcher Hyunwoo Kim disclosed the local privilege escalation flaw on Friday after what he said was a broken embargo forced the issue into the open.

Kim described Dirty Frag as a “universal LPE” affecting “all major distributions” and warned that it delivers the same kind of immediate root access as the recent CopyFail mess – only this time, defenders do not even have patches to throw at the problem.

Read more…
Source:  The Register News

Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox

Related:

  • New wormable Android malware poses as Netflix to hijack WhatsApp sessions

    April 7, 2021

    A new variant of Android malware has been discovered in an app on Google Play that entices users by promising free Netflix subscriptions. On Wednesday, Check Point Research (CPR) said the “wormable” mobile malware was discovered in the Google Play Store, the official repository for Android apps. The malicious software, dubbed “FlixOnline,” disguises itself as a ...

  • New Cring ransomware hits unpatched Fortinet VPN devices

    April 7, 2021

    A vulnerability impacting Fortinet VPNs is being exploited by a new human-operated ransomware strain known as Cring to breach and encrypt industrial sector companies’ networks. Cring ransomware (also known as Crypt3r, Vjiszy1lo, Ghost, Phantom) was discovered by Amigo_A in January and spotted by the CSIRT team of Swiss telecommunications provider Swisscom. The Cring operators drop customized Mimikatz ...

  • Man jailed for trying to buy chemical weapon online able to kill ‘hundreds’ of people

    April 7, 2021

    A man has been jailed for trying to buy a chemical weapon online capable of killing “hundreds” of people. On Tuesday, the US Department of Justice (DoJ) announced that Jason William Siesser, a resident of Missouri, will spend 12 years behind bars in federal prison without the possibility of parole. The 46-year-old tried to buy two and ...

  • New survey report released: The state of industrial cybersecurity (Part 2)

    April 6, 2021

    This article is a second part of our three-part blog series, explaining the result of Trend Micro’s latest survey about industrial cybersecurity. The previous post showed the result of this survey- most IT and OT people recognize the biggest challenge is technology rather than people and process. We also found some gaps of awareness between ...

  • Meet Janeleiro: a new banking Trojan striking company, government targets

    April 6, 2021

    A banking Trojan striking corporate targets across Brazil has been unmasked by researchers. On Tuesday, ESET published an advisory on the malware, which has been in development since 2018. Dubbed Janeleiro, the Trojan appears to be focused on Brazil as a hunting ground and has been used in cyberattacks against corporate players in sectors including healthcare, engineering, ...

  • European Commission, other EU orgs recently hit by cyber-attack

    April 6, 2021

    The European Commission and several other European Union organizations were hit by a cyberattack in March, according to a European Commission spokesperson. As revealed by the spokesperson, the “IT security incident” impacted multiple EU institutions, bodies, or agencies’ IT infrastructure. “We are working closely with CERT-EU, the Computer Emergency Response Team for all EU institutions, bodies and ...