Update: Dirty Cow Vulnerability
Have you been affected by the Linux Kernel vulnerability? If so, what do you do next?
Reports state that on October 19, 2016 a Linux Kernel vulnerability was discovered. This vulnerability has been nicknamed “Dirty Cow” (CVE-2016-5195) due to manipulation of the copy-on-write function within Linux Kernel’s memory subsystem. The vulnerability has existed for the last nine years, but has only been brought to light recently. Experts state that the vulnerability has been an issue since kernel version 2.6.22, meaning that most servers are vulnerable.
According to Phil Oester, the Linux security researcher who discovered the flaw, the Dirty Cow vulnerability will become wildly used if preventions are not put in place. He states, “The exploit in the wild is trivial to execute, never fails and has probably been around for years – the version I obtained was compiled with gcc 4.8”. He continues, “As Linus [Torvalds] notes in his commit, this is an ancient bug and impacts kernels going back many years. All Linux users need to take this bug very seriously, and patch their systems ASAP.”
Those who exploit the Dirty Cow vulnerability will be able to increase their privileges on a given system, taking their access privileges from regular settings to high access. This can be detrimental to any individual or company with multiple users who could have access to sensitive data. The best solution is to detect the vulnerability and patch it as soon as possible to avoid any possible security breaches.
What do you do if you have been affected by the Dirty Cow vulnerability?
First you will need to detect whether or not you have been affected. To verify if your server(s) are vulnerable to the Dirty Cow exploit you can perform the following functions:
For Debian and Ubuntu:
$ uname –rv
If your kernel version is older than the following – then you are most likely affected:
- 4.8.0-26.28 for Ubuntu 16.10
- 4.4.0-45.66 for Ubuntu 16.04 LTS
- 3.13.0-100.147 for Ubuntu 14.04 LTS
- 3.2.0-113.155 for Ubuntu 12.04 LTS
- 3.16.36-1+deb8u2 for Debian 8 (Jessie)
- 3.2.82-1 for Debian 7 (Wheezy)
For Redhat/Centos:
Redhat has provided a detection script for users that can be downloaded here:
http://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
Once downloaded, you can then run the detection script on the local machine with the following command:
$ bash rh-cve-2016-5195_1.sh
We highly recommend you patch your server as soon as possible to avoid further vulnerability. Operating System specific information can be found through the following links:
Red Hat/CentOS:
http://access.redhat.com/security/cve/cve-2016-5195
http://access.redhat.com/security/vulnerabilities/2706661
http://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13
Debian:
http://security-tracker.debian.org/tracker/CVE-2016-5195
Ubuntu:
http://www.ubuntu.com/usn/usn-3107-1/
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
If you have any questions about this vulnerability, please contact our technical support staff by opening a chat or creating a ticket within your control panel.