On October 19, 2016, A very dangerous vulnerability was exposed in the Linux kernel named Dirty COW. A zero-day local privilege escalation vulnerability has existed for eleven years since 2005, it has existed since Linux kernel version 2.6.22+ which means a vast majority of servers are at risk including yours.

This bug affects all sort of Android or Linux kernel to escalate privileges, Any system user can become root in no time, Exploiting this bug/vulnerability means that a regular system user on your server can gain write access to any file that they only have read access to, Ideally which should not be writable by the system user. By exploiting Dirty COW vulnerability any system user can increase their privileges on the system/server.

 

Dirty COW

 

Dirty COW (CVE-2016-5195)

The vulnerability discovered by Phil Oester, was sarcastically named as “Dirty COW” due to the fact that it is caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

 

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

 

More information on the Dirty COW can be found on  Canonical, Red Hat, and Debian.

 

List of affected Linux distros

  • Red Hat Enterprise Linux 5, 6 & 7
  • CentOS Linux 5, 6 & 7
  • Debian Linux wheezy, jessie, stretch & sid
  • Ubuntu Linux 12.04, 14.04, 16.04 & 16.10

 

How to check Debian/Ubuntu server for Dirty COW vulnerability

To find out if your server is affected by Dirty COW, you can check your kernel version with following command.

uname -a

 

Sample Output:

Linux 3.13.0-95-generic x86_64

 

If your Kernel version is earlier than the following, you’r server is affected with Dirty COW vulnerability:

  • 4.8.0-26.28 for Ubuntu 16.10
  • 4.4.0-45.66 for Ubuntu 16.04 LTS
  • 3.13.0-100.147 for Ubuntu 14.04 LTS
  • 3.2.0-113.155 for Ubuntu 12.04 LTS
  • 3.16.36-1+deb8u2 for Debian 8
  • 3.2.82-1 for Debian 7
  • 4.7.8-1 for Debian unstable

 

How to patch Debian/Ubuntu server for Dirty COW

Debian & Ubuntu has already released the fix for Dirty COW vulnerability, you just need to upgrade your server by installing the patched/latest Kernel.

sudo apt-get update && sudo apt-get dist-upgrade

After installing the latest fixed Kernel you have to reboot the server for the patched OS to load.

sudo reboot

 

How to check Redhat/CentOS server for Dirty COW vulnerability

You can use this script provided by RedHat to test your server’s against Dirt COW vulnerability. Download the script.

wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Once downloaded run the script with following command,

bash rh-cve-2016-5195_1.sh

If your server is vulnerable, you’ll see an output like this:

Your kernel is 3.10.0-327.36.1.el7.x86_64 which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively,

you can apply partial mitigation described at

https://access.redhat.com/security/vulnerabilities/2706661

 

How to patch Redhat/CentOS server for Dirty COW

 

RedHat has still not released the security patch for Dirty COW vulnerability. Once the patch is released update the OS with following commands.

sudo yum update

After installing the latest fixed Kernel you have to reboot the server for the patched OS to load.

sudo reboot

 

In the mean time you can fix your RedHat/CentOS servers with temporary mitigation for Dirty COW.

 

Conclusion

Dirty COW is a zero-day vulnerability and its very hard to detect the attack as the exploitation of this vulnerability does not leave a trace in the logs. Hence it is impossible to detect if someone has exploited Dirty COW against your server or not. So the only solution is to patch your server immediately to avoid any mishap.

Please keep in mind that updating/upgrading the server should be done by any expert and with great caution, upgrading the server may break your application or application functionality.