Copy Fail has beenexploited in the wild, and Microsoft reports that Dirty Frag may also have been exploited.According to the tech giant, Dirty Frag can be exploited after attackers gain access to the targeted system, which can be achieved through various means, including compromised SSH accounts, web shell access via internet-exposed applications, abusing service accounts, container escapes to the host environment, or remote access compromise.Microsoft said its Defender product has seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail.“After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, and inspects an exploit artifact,” Microsoftexplained.“The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added.Linux distributions have started releasing patches and mitigations for Dirty Frag, includingRed Hat,Amazon Linux,Ubuntu,Fedora, andAlma Linux.Related:OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
According to the tech giant, Dirty Frag can be exploited after attackers gain access to the targeted system, which can be achieved through various means, including compromised SSH accounts, web shell access via internet-exposed applications, abusing service accounts, container escapes to the host environment, or remote access compromise.Microsoft said its Defender product has seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail.“After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, and inspects an exploit artifact,” Microsoftexplained.“The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added.Linux distributions have started releasing patches and mitigations for Dirty Frag, includingRed Hat,Amazon Linux,Ubuntu,Fedora, andAlma Linux.Related:OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
Microsoft said its Defender product has seen limited in-the-wild activity that could indicate exploitation of either Dirty Frag or Copy Fail.“After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, and inspects an exploit artifact,” Microsoftexplained.“The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added.Linux distributions have started releasing patches and mitigations for Dirty Frag, includingRed Hat,Amazon Linux,Ubuntu,Fedora, andAlma Linux.Related:OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
“After gaining elevated access, the actor modifies a GLPI LDAP authentication file (evidenced by a .swp file from vim), performs reconnaissance of the GLPI directory and system configuration, and inspects an exploit artifact,” Microsoftexplained.“The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added.Linux distributions have started releasing patches and mitigations for Dirty Frag, includingRed Hat,Amazon Linux,Ubuntu,Fedora, andAlma Linux.Related:OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
“The activity then shifts to accessing sensitive data and interacting with PHP session files — first deleting multiple session files and then forcefully wiping additional ones — before reading remaining session data, indicating both disruption of active sessions and access to session contents,” it added.Linux distributions have started releasing patches and mitigations for Dirty Frag, includingRed Hat,Amazon Linux,Ubuntu,Fedora, andAlma Linux.Related:OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
Linux distributions have started releasing patches and mitigations for Dirty Frag, includingRed Hat,Amazon Linux,Ubuntu,Fedora, andAlma Linux.Related:OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
Related:OpenSSH Flaw Allowing Full Root Shell Access Lurked for 15 YearsRelated:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
Related:Easily Exploitable ‘Pack2TheRoot’ Linux Vulnerability Leads to Root AccessRelated:Organizations Warned of Exploited Linux Vulnerabilities
Related:Organizations Warned of Exploited Linux Vulnerabilities
Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Source: SecurityWeek
