Oct27

Update: Dirty Cow Vulnerability

Have you been affected by the Linux Kernel vulnerability? If so, what do you do next?

Reports state that on October 19, 2016 a Linux Kernel vulnerability was discovered. This vulnerability has been nicknamed “Dirty Cow” (CVE-2016-5195) due to manipulation of the copy-on-write function within Linux Kernel’s memory subsystem. The vulnerability has existed for the last nine years, but has only been brought to light recently. Experts state that the vulnerability has been an issue since kernel version 2.6.22, meaning that most servers are vulnerable.

According to Phil Oester, the Linux security researcher who discovered the flaw, the Dirty Cow vulnerability will become wildly used if preventions are not put in place. He states, “The exploit in the wild is trivial to execute, never fails and has probably been around for years – the version I obtained was compiled with gcc 4.8”. He continues, “As Linus [Torvalds] notes in his commit, this is an ancient bug and impacts kernels going back many years. All Linux users need to take this bug very seriously, and patch their systems ASAP.”

Those who exploit the Dirty Cow vulnerability will be able to increase their privileges on a given system, taking their access privileges from regular settings to high access. This can be detrimental to any individual or company with multiple users who could have access to sensitive data. The best solution is to detect the vulnerability and patch it as soon as possible to avoid any possible security breaches.

What do you do if you have been affected by the Dirty Cow vulnerability?

First you will need to detect whether or not you have been affected. To verify if your server(s) are vulnerable to the Dirty Cow exploit you can perform the following functions:

For Debian and Ubuntu:

$ uname –rv

If your kernel version is older than the following – then you are most likely affected:

  • 4.8.0-26.28 for Ubuntu 16.10
  • 4.4.0-45.66 for Ubuntu 16.04 LTS
  • 3.13.0-100.147 for Ubuntu 14.04 LTS
  • 3.2.0-113.155 for Ubuntu 12.04 LTS
  • 3.16.36-1+deb8u2 for Debian 8 (Jessie)
  • 3.2.82-1 for Debian 7 (Wheezy)

For Redhat/Centos:

Redhat has provided a detection script for users that can be downloaded here:

https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Once downloaded, you can then run the detection script on the local machine with the following command:

$ bash rh-cve-2016-5195_1.sh

We highly recommend you patch your server as soon as possible to avoid further vulnerability. Operating System specific information can be found through the following links:

Red Hat/CentOS:

https://access.redhat.com/security/cve/cve-2016-5195

https://access.redhat.com/security/vulnerabilities/2706661

https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

Debian:

https://security-tracker.debian.org/tracker/CVE-2016-5195

Ubuntu:

https://www.ubuntu.com/usn/usn-3107-1/

http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html

If you have any questions about this vulnerability, please contact our technical support staff by opening a chat or creating a ticket within your control panel.

VPS.NET takes your security seriously – Learn more at VPS.NET

This article was brought to you by VPS.net, for dedicated server hosting, cloud servers and 24/7 support visit our site here vps.net

No Comments

over 200,000 servers launched

and counting worldwide...