A serious vulnerability named Dirty COW has been discovered recently which has put the Linux kernel under risk. It is said that this vulnerability was noticed nine years ago (since version 2.6.22 in 2007) and remained unnoticed throughout this time. A researcher named Phil Oester was the man behind the detection of this serious threat.
According to him, the vulnerability is described as a race condition where the Linux kernel’s memory subsystem handles the copy-on-write (COW) breakage of private read-only memory mappings. In this way, the attackers gain write access to read-only memory updates and this paves the way to their increased privileges on the system.
It’s a good chance that your device is vulnerable to this attack if you are running a Linux kernel higher than 2.6.22. The list given below shows the popular Linux distributions vulnerable to this attack.
- Red Hat Enterprise Linux 7.x
- Red Hat Enterprise Linux 6.x
- Red Hat Enterprise Linux 5.x
- CentOS Linux 7.x
- CentOS Linux 6.x
- CentOS Linux 5.x
- Debian Linux wheezy
- Debian Linux jessie
- Debian Linux stretch
- Debian Linux sid
- Ubuntu Linux precise (LTS 12.04)
- Ubuntu Linux trusty
- Ubuntu Linux xenial (LTS 16.04)
- Ubuntu Linux yakkety
- Ubuntu Linux vivid/ubuntu-core
- SUSE Linux Enterprise 11 and 12.
- Openwrt
How to detect vulnerability ?
The initial step to be done in detecting the vulnerability is to identify the current kernel version using the uname command.
Ubuntu/Debian :
For Ubuntu Servers, you need to use the following command to find the kernel version.
#uname -rv
You’ll see output like this:
Output :
4.4.0-42-generic #62-Ubuntu SMP Fri Oct 7 23:11:45 UTC 2016
If the version displayed is earlier than the following list, your server is affected by the vulnerability.
- 4.8.0-26.28 for Ubuntu 16.10
- 4.4.0-45.66 for Ubuntu 16.04 LTS
- 3.13.0-100.147 for Ubuntu 14.04 LTS
- 3.2.0-113.155 for Ubuntu 12.04 LTS
- 3.16.36-1+deb8u2 for Debian 8
- 3.2.82-1 for Debian 7
- 4.7.8-1 for Debian unstable
CentOS :
If you’re on CentOS, you can use this script provided by RedHat to test your server’s vulnerability. To do so, first, download the script.
wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
Then run it with bash.
bash rh-cve-2016-5195_1.sh
If you’re vulnerable, you’ll see output like this:
Your kernel is 3.10.0-327.36.1.el7.x86_64 which is vulnerable. Red Hat recommends that you update your kernel. Alternatively, you can apply partial mitigation described at https://access.redhat.com/security/vulnerabilities/2706661.
How to get yourself protected?
As a quicker resolution to this bug, it’s advised to update your Linux distro to the latest available version. Keep in mind that a system reboot is necessary for the kernel update to be applied.
You can make use of the following commands to update your Debian/Ubuntu/CentOS systems:
Debian/Ubuntu:
$ sudo apt-get update && sudo apt-get dist-upgrade
Finally, reboot your server for the changes to take effect.
CentOS:
You can use the yum command to update the kernel to the latest version.
If you require help, contact SupportPRO Server Admin