Know more about dirty cow vulnerability – CVE-2016-5195

How to clean a dirty Cow? Lol!!

We all are already aware about the recently detected vulnerability which affects the Linux kernel memory sub system. This vulnerability is assigned to CVE-2016-5195. Since the feature that is affected by this bug is the copy-on-write (COW) mechanism in Linux kernel for managing ‘dirty’ memory pages, this vulnerability is termed ‘Dirty COW’.

Almost all providers have already released their patches against this vulnerability. Here I am going to listing some of them as a quick workaround.

This issue was publicly disclosed on October 19, 2016 and has been rated as Important. As it is affected in all of Linux kernels.

What is CVE-2016-5195?
How to patch kernels against CVE-2016-5195?
-> CentOS & RHEL
-> Ubuntu/Debian
-> CloudLinux Kernel
–> Kernel Care

What is CVE-2016-5195?

CVE-2016-5195 is the official reference code to this bug by CVE (Common Vulnerabilities and Exposures).

COW – Copy-On-Write

dirty-cow-crybit

This bug is affected in Linux kernel’s memory subsystem. A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild. This flaw affects most modern Linux distributions.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, and MRG 2.x. This issue has been rated as having Important security impact.

How to patch Linux kernel against dirty cow vulnerability?

1. RHEL & CentOS

RHEL & CentOS is not released patches for their kernels yet. However, they released some identification steps and mitigation steps. You can download the script from official redhat’s website. Click on this link.

Otherwise please use the following steps

wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

To execute the script

bash rh-cve-2016-5195_1.sh

The above script will not work on CentOS system

# bash rh-cve-2016-5195_1.sh

This script is only meant to detect vulnerable kernels on Red Hat Enterprise Linux 5, 6 and 7.

Mitigation steps for CentOS and RHEL servers

One mitigating option is available for CentOS and RHEL servers. You need to implement this on your server as they haven’t released a patched version against this vulnerability yet. Once it is available, you may be able to setup this by using YUM command.

Let’s start;

Step 1 : Make sure that your server is loaded with the latest kernel, If so go to the next step, else update kernel and reboot machine.

Step 2 : Create a file “update.stp” and add the following lines:

probe kernel.function("mem_write").call ? {
        $count = 0
}

probe syscall.ptrace {  // includes compat ptrace as well
        $request = 0xfff
}

probe begin {
        printk(0, "CVE-2016-5195 mitigation loaded")
}

probe end {
        printk(0, "CVE-2016-5195 mitigation unloaded")
}

Step 3 : Install the “systemtap” package and its required dependencies.

yum install systemtap kernel-devel

Step 4 : Execute the following command

stap -g update.stp

FYI, don’t reboot server. reboot can tamper with this patch, these steps would have to be repeated in case of reboots.

2. Ubuntu/Debian

You need to check the current kernel version on your system/server to identify whether it’s affected or not. You can use the uname command to check the current kernel version.

uname -rv

Example

# uname -rv
4.4.0-45-generic #66-Ubuntu SMP Wed Oct 19 14:12:37 UTC 2016

All versions prior to the following versions are affected. See the list below:


4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS
3.16.36-1+deb8u2 for Debian 8
3.2.82-1 for Debian 7
4.7.8-1 for Debian unstable

Fix

The fix is simple. Update the packages and reboot the server. Please see the command listed below:

sudo apt-get update && sudo apt-get dist-upgrade
shutdown -rf now

3. CloudLinux Kernel

They released latest patched kernels. You can updated it using YUM. CloudLinux released patched kernels for all of their versions.

CloudLinux 7

yum clean all; yum install kernel-3.10.0-427.10.1.lve1.4.22.el7 kmod-lve-1.4-22.el7 --enablerepo=cloudlinux-updates-testing

CloudLinux 6

yum clean all; yum install kernel-2.6.32-673.26.1.lve1.4.18.el6 kmod-lve-1.4-18.el6 --enablerepo=cloudlinux-updates-testing

CloudLinux 5

[Post edited on November 1, 2016]

Updated CloudLinux 5 kernel (version 2.6.18-508.el5.lve0.8.89) with the Dirty COW issue fix and another fix from OpenVZ team is now available from our production repository.

yum install kernel-2.6.18-508.el5.lve0.8.89

More info → https://www.cloudlinux.com/cloudlinux-os-blog/entry/dirty-cow-issue-the-fix-is-coming

If you are using Kernel Care on your CloudLinux server, it would be already updated.
The following CloudLinux Kernel update includes the patch:

kernel-2.6.32-673.26.1.lve1.4.15.el6 (cl6)

More details : http://patches.kernelcare.com/c1e0b04f854cf83af3bccad9ef9df736ad51d0a2/4/kpatch.html

How to check my kernel (Kernel care’s) is up-to-date / patched?

As I stated the latest patched kernel is kernel-2.6.32-673.26.1.lve1.4.15.el6 (cl6). Please check the current kernel in your server.

Please use the following commands:

# kcarectl --uname
2.6.32-673.26.1.lve1.4.15.el6.x86_64+
# kcarectl --update
Kernel is safe

That’s it! Don’t waste time, please update the kernel and clean the cow 😛
I’ll update this topic when RHEL releases their kernel patches.

Arunlal Ashok

Linux Server Administrator. I'm dealing with Linux servers since 2012. I started this blog to share and discuss my ideas with the world. Check My Profile!! in uPwork (oDesk) and let me know if you need any assistance. Thanks!!

You may also like...

1 Response

  1. Heba Habeeb says:

    Just an update: If you get this error after running the stap -g update.stp command, then please make sure you have installed kernel-debuginfo on your server.

    =====
    semantic error: while resolving probe point: identifier ‘syscall’ at update.stp:5:7
    source: probe syscall.ptrace { // includes compat ptrace as well
    ^

    semantic error: no match
    =====

    If the kernel-debuginfo package isn’t available for your kernel, then we need to wait until CentOS release the patched kernel version 🙁

Leave a Reply

Your email address will not be published. Required fields are marked *