Protect from CVE-2016-5195 (DirtyCow) on Centos 7/RHEL7/cPanel/CloudLinux

Published on Author gryzli2 Comments

On october 19 2016, the Dirty Cow vulnerability went public (which is kernel privilege escalation vulnerability) . From what I have read and test, the exploit is working only on Centos 7/ RHEL7 / Cloudlinux 7 distros .

I don’t know for other distros, because I’m not interested in them.

How to protect yourself from CVE-2016-5195 ?

0) (NEW) The Right Way To Update

0.1) If you are using CloudLinux based server

If you are using CloudLinux based server, you must already received update for CL 5/6/7. You need to just do:

After you update your kernel, you must reboot your server in order to load the patched kernel.

 

0.2) If you are using KernelCare rebootless patching

If you are lucky enough to have CL/KernelCare, which is used for dynamic kernel patching, you have received already the updates and you don’t need to do anything.

You can check for the KernelCare patch fix with the following:

You don’t need to reboot in this case !

 

0.3) If you are using Centos 5/6/7 stock kernel  (update Tue Oct 25 12:00:50 CDT 2016)

Centos released kernel patch for Centos 7, what you need to do is the following:

After updating the kernel, you must reboot your server.

We are still waiting for Centos to release kernel patches for Centos 5 and 6.

 

 

 

1)(OLD)Temporary fix (the systemtap way)

Install systemtap, kernel-devel and kernel-debuginfo packages

On a basic Centos 7 (could be cPanel enabled)

 

On CloudLinux 7

 

It is very important to use “–disableexcludes=main” on a cPanel based servers, cause thay have “exclude=kernel-debuginfo*” in /etc/yum.conf. 

 

2) Create your .stap file

 

 

3) Generate the stap module

 

4) Install the module

Adjust the command, based on your previously generated module path !

 

5) Keep in mind, if you reset the server, the fix goes away !

Keep in mind that the instructions above are activating “temporary” the fix. If you restart your server you must re-run the staprun -L command in order to re-load the stap module.

How to test if you are vulnerable ?

 

1) Download and compile the PoC

 

2) Copy the binary in some user directory

 

3) Create read-only root owned file

 

4) Execute the exploit with ‘some_user’ and try to modify foo file

 

5) Finally check if the file foo is modified:

If you get this:

Then you are VULNERABLE.

 

If you get this

You are SAFE

 

 

UPDATE 23 Oct 2016 – CloudLinux released DirtyCow fix in the stable kernel release

 

CloudLinux announced that they have released the Dirty Cow fix, within their stable kernel release for CloudLinux 6 and CloudLinux 7.

 

CloudLinux 5 has the vulnerability fix  in it’s testing repository.

 

 

External resources

Info on dirtycow: http://dirtycow.ninja/

RedHat bugreport: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

More information from SecurityFocus about all vulnerable kernels:

http://www.securityfocus.com/bid/93793

2 Responses to Protect from CVE-2016-5195 (DirtyCow) on Centos 7/RHEL7/cPanel/CloudLinux

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha * Time limit is exhausted. Please reload CAPTCHA.