RSS Feed
News
Oct
21
Dirty CoW - CVE-2016-5195
Posted by Thomas Foster on 21 October 2016 02:17 PM

A vulnerability has been discovered in the Linux kernel that potentially allows anyone with access to a local user account (either legitimately, or by exploiting e.g. in an insecure web application) to elevate their privileges to root, and thus take over the entire system. The vulnerability has been assigned the CVE (Common Vulnerabilities and Exposures) identifier CVE-2016-5195, and has been nicknamed Dirty CoW (CoW stands for Copy-on-Write, and refers to the part of the kernel in which the vulnerability was discovered). Red Hat have rated this vulnerability as Important, and an exploit has reportedly been seen "in the wild".

More (technical) information about the vulnerability can be found at https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

CWCS will install updates for managed servers when they become available as part of our usual security patching routine. Unmanaged customers are responsible for keeping their servers up-to-date themselves, however if you feel you're unable to do this will be able to apply patching for Dirty CoW as paid a special request. If this is a service you require please contact our sales department sales@cwcs.co.uk or 0800 1 777 000.

Users of Red Hat Enterprise Linux and CentOS versions 5, 6 and 7 are affected, although exploits that have been seen so far are reported not to affect versions 5 and 6. Red Hat have not yet released fixed versions of their kernel packages. When they do, it will be announced at https://access.redhat.com/security/cve/cve-2016-5195. These packages will be made available to CentOS users shortly thereafter. This will be announced on the CentOS-announce mailing list, which can be viewed at https://lists.centos.org/pipermail/centos-announce/2016-October/thread.html.

In the meantime, advanced users may wish to mitigate the vulnerability by disabling ptrace functionality in the kernel as explained at https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13. However, please make sure that you have read and understood the caveats mentioned there before doing so.

Once fixed packages have been released, users of these Operating Systems should install them by running 'yum update' via SSH, and then reboot by running 'reboot', or using Tools & Settings -> Server Management -> Restart Server in Plesk, or System Reboot -> Graceful Server Reboot in WHM. Please note that you must update and then reboot; updating alone is not sufficient.

Users of supported Debian or Ubuntu distributions are also affected, unless they are running one of the following kernel versions (or later):

  • Debian 7 (Wheezy) - 3.2.82-1
  • Debian 8 (Jessie) - 3.16.36-1+deb8u2
  • Ubuntu 12.04 LTS (Precise Pangolin) - 3.2.0-113.155 or 3.13.0-100.147~precise1
  • Ubuntu 14.04 LTS (Trusty Tahr) - 3.13.0-100.147 or 4.4.0-45.66~14.04.1
  • Ubuntu 16.04 LTS (Xenial Xerus) - 4.4.0-45.66
  • Ubuntu 16.10 (Yakkety Yak) - 4.8.0-26.28

If your server is not running one of these kernels, you will need to update by running 'apt-get update && apt-get dist-upgrade' via SSH, and then reboot by running 'reboot', or using Tools & Settings -> Server Management -> Restart Server in Plesk. Please note that you must update and then reboot; updating alone is not sufficient.

Ubuntu users who are running an LTS enablement stack will need to ensure that their kernel version is still supported. This can be determined by running the 'hwe-support-status' command (see https://wiki.ubuntu.com/Kernel/LTSEnablementStack for more details).

You can determine the version of the currently running kernel on your server by running 'uname -r' via SSH. Alternatively, WHM users can find this information under Server Status -> Server Information -> System Information. For example, the following is from a server running the 2.6.32-642.4.2.el6.x86_64 kernel:

Linux server.example.com 2.6.32-642.4.2.el6.x86_64 #1 SMP Tue Aug 23 19:58:13 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

This vulnerability affects all versions of the Linux kernel since 2.6.22 (released in 2007) until it was fixed on 18 October 2016, so if you are running a distribution not mentioned above, then it is almost certainly still vulnerable, but fixes may not be made available. Users of End Of Life distributions (i.e. Red Hat Enterprise Linux or CentOS before version 5, Debian before version 7, or Ubuntu versions other than 12.04, 14.04, 16.04 or 16.10) should contact customer services to discuss migrating to a newer platform as a matter of urgency.

If you have any questions, please do not hesitate to contact our support team on 0808 133 3247, or via https://support.cwcs.co.uk/.