Dirty COW [ CVE-2016-5195 ]
COW -> Copy – On – Write
Dirty Cow
Dirty COW is actually an old vulnerability , which has driven back after 10 long years. The issue was first identified by Linus Torvalds and found some difficulties to patch the issue. The vulnerability is also called privilege-escalation vulnerability. In which the normal user in the server will get the root level privileges. Almost all the Linux flavors have this issue, due to which the Linux Kernel is affected by the vulnerability and an installed malicious app will get the root level access and get all the data from your server.
The following Red Hat OS are infected:
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Red Hat Enterprise MRG 2
Red Hat Openshift Online v2
Red Hat Virtualization (RHEV-H/RHV-H)
To check your RedHat version is effected or not:
wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_3.sh
chmod 755 rh-cve-2016-5195_3.sh
src]#./rh-cve-2016-5195_3.sh
Your kernel is 2.6.32-431.el6.x86_64 which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
The erlier version of the following UBUNTU OS are infected:
4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS
Amazon OS:
Amazon patched all their kernal version for the C-O-W, The patched versions are given below:
x86_64:
kernel-tools-devel-4.4.23-31.54.amzn1.x86_64
kernel-4.4.23-31.54.amzn1.x86_64
kernel-tools-debuginfo-4.4.23-31.54.amzn1.x86_64
perf-debuginfo-4.4.23-31.54.amzn1.x86_64
kernel-devel-4.4.23-31.54.amzn1.x86_64
kernel-tools-4.4.23-31.54.amzn1.x86_64
perf-4.4.23-31.54.amzn1.x86_64
kernel-debuginfo-4.4.23-31.54.amzn1.x86_64
kernel-headers-4.4.23-31.54.amzn1.x86_64
kernel-debuginfo-common-x86_64-4.4.23-31.54.amzn1.x86_64
i686:
kernel-4.4.23-31.54.amzn1.i686
kernel-devel-4.4.23-31.54.amzn1.i686
kernel-tools-debuginfo-4.4.23-31.54.amzn1.i686
kernel-tools-devel-4.4.23-31.54.amzn1.i686
kernel-debuginfo-common-i686-4.4.23-31.54.amzn1.i686
perf-4.4.23-31.54.amzn1.i686
kernel-debuginfo-4.4.23-31.54.amzn1.i686
perf-debuginfo-4.4.23-31.54.amzn1.i686
kernel-tools-4.4.23-31.54.amzn1.i686
kernel-headers-4.4.23-31.54.amzn1.i686
FIX:
You can fix either by upgrading the patched kernel or remove all the packlages marked as rc by dpkg
# dpkg –list | grep “^rc” | cut -d ” ” -f 3 | xargs sudo dpkg –purge
But UROLIME recommend upgrading the installed kernel version to the latest stable release. You might require a reboot of your server after the kernel upgrade.
Red-Hat/centOS
yum update kernel
Ubuntu:
apt-get install linux-generic
Amazon:
yum update kernel
Please find the below steps that we have used one of our Ubuntu server.
root@ip-172-31-3-253:~# uname -rv
3.13.0-92-generic #139-Ubuntu SMP Tue Jun 28 20:42:26 UTC 2016
apt-get update
apt-get install linux-generic
reboot
root@ip-172-31-3-253:~# uname -rv
3.13.0-100-generic #147-Ubuntu SMP Tue Oct 18 16:48:51 UTC 2016
