Is your system being affected by the Linux Kernel vulnerability? If so, what do you do next?
On October 19, 2016 a Kernel vulnerability was discovered by Linux security researcher, Phil Oester. This vulnerability has subsequently been nicknamed “Dirty Cow” (CVE-2016-5195) based on the manipulation of the copy-on-write (COW) function within the memory subsystem in Linux Kernels. The vulnerability was created nine years ago, but this issue has only been brought to light in the last week. Experts state that most servers are vulnerable since “Dirty Cow” was included since kernel version 2.6.22. What does this mean for you?
According to Oester, the Dirty Cow vulnerability will become widely used if preventions are not put in place. He continues, "The exploit in the wild is trivial to execute, never fails and has probably been around for years - the version I obtained was compiled with gcc 4.8". He states, "As Linus [Torvalds] notes in his commit, this is an ancient bug and impacts kernels going back many years. All Linux users need to take this bug very seriously, and patch their systems ASAP."
Users who decide to exploit the Dirty Cow vulnerability will be able to increase their privileges on any given system. Increased privileges allows regular users to take their access rights to high access allowing them to infiltrate every nook and cranny of the system. This has the potential to sabotage any company or individual with multiple users who have access to systems that contain sensitive data. The best solution to this problem is to detect the vulnerability as soon as possible and patch it to avoid any possible security breaches within the system.
What do you do if you think you have been affected by the Dirty Cow vulnerability?
The first step is to detect whether or not you have been affected by the Dirty Cow vulnerability. To verify if any of your systems are vulnerable to the exploit perform the following functions:
For Debian and Ubuntu:
$ uname –rv
If your kernel version is older than the following versions – then you are most likely affected:
- 4.8.0-26.28 for Ubuntu 16.10
- 4.4.0-45.66 for Ubuntu 16.04 LTS
- 3.13.0-100.147 for Ubuntu 14.04 LTS
- 3.2.0-113.155 for Ubuntu 12.04 LTS
- 3.16.36-1+deb8u2 for Debian 8 (Jessie)
- 3.2.82-1 for Debian 7 (Wheezy)
Redhat has provided a detection script for users that can be downloaded here:
Once downloaded, you can then run the detection script on the local machine with the following command:
$ bash rh-cve-2016-5195_1.sh
It is highly recommend you patch your server(s) as soon as possible to avoid further vulnerability or risk to any sensitive data or systems. Specific information on operating systems can be found through the following links:
If you have any questions about this vulnerability, please contact our technical support staff by opening a chat or creating a ticket within your control panel.