+44 0330 223 3428
Call Us
+44 0330 223 3428

Linux vulnerability branded ‘Dirty COW’

Dirty COW

You may have seen the news about a Linux vulnerability branded ‘Dirty COW’, which affects many Linux servers.

Please see an overview of the vulnerability below and what you need to do.
Dirty COW, or CVE-2016-5195 to use it’s less sensationalist name, is a privilege escalation vulnerability in Linux from October 2016.
The obligatory branded vulnerability website can be found here, replete with logo, proof of concept and more detail on the underlying issue.
Describing what the vulnerability is, what it does and how it came about is better left to thse in the know, this page is aimed at people wanting to patch their way to safety.
The good news is that by the time you’re reading this, all the major linux distributions will have patches available for their various kernels, so it’s simply a matter or running an update through your package manager and restarting your server.

First things first though, let’s check if you’re actually vulnerable.

Checking vulnerability
RedHat have provided a handy script for checking if you’re vulnerable or not. Carry out the following steps which logged into your server over SSH to check.

First, download the script from RedHat using wget:
wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Then run the script and see what it returns:
bash rh-cve-2016-5195_1.sh
The output should be fairly self explanatory, but if you’re vulnerable it’ll look something like this:
Your kernel is 3.10.0-327.10.1.el7.x86_64 which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
If vulnerable, you should follow the next section to patch and fix the vulnerability.

If you’re on a Debian or Ubuntu based distribution, the redhat script won’t work, but you can find your kernel version with the following version:
uname -a
This will return something like:
root@dev:~# uname -a
Linux dev 3.13.0-76-generic #120-Ubuntu SMP Mon Jan 18 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
If your kernel version is earlier (lower) than the following list, you’re vulnerable and should follow the next section to update your kernel to safe version.

4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS
3.16.36-1+deb8u2 for Debian 8
3.2.82-1 for Debian 7
4.7.8-1 for Debian unstable

As mentioned previously, there should be a patch available for your kernel version through your standard package manager now.

yum is the package manager at play here, so you can update the kernel with the following command:
yum update kernel
Alternatively, if you’d like to update all packages on your server, you can use:
yum update
After this has completed, you’ll need to reboot your server to load the new kernel:

With Debian based systems, your package manager is aptitude, but we’ll use apt-get here. Run the following to upgrade your packages:
apt-get update && apt-get dist-upgrade
As with CentOS, a reboot is needed to use this new kernel: