By Hazel Virdó
staff technical writer
Introduction
On October 19, 2016, a privilege escalation vulnerability in the Linux kernel was disclosed. The bug is nicknamed Dirty COW because the underlying issue was a race condition in the way kernel handles copy-on-write (COW). Dirty COW has existed for a long time — at least since 2007, with kernel version 2.6.22 — so the vast majority of servers are at risk.
Exploiting this bug means that a regular, unprivileged user on your server can gain write access to any file they can read, and can therefore increase their privileges on the system. More information can be found on CVE-2016-5195 from Canonical, Red Hat, and Debian.
Fortunately, most major distributions have already released a fix. All of the base images on DigitalOcean have been updated to include the patched kernel versions, so future Droplets you create will not need to be updated. However, if you’re running an older server, you can follow this tutorial make sure you’re protected.
Check Vulnerability
Ubuntu/Debian
To find out if your server is affected, check your kernel version.
You’ll see output like this:
Output4.4.0-42-generic #62-Ubuntu SMP Fri Oct 7 23:11:45 UTC 2016
If your version is earlier than the following, you are affected:
- 4.8.0-26.28 for Ubuntu 16.10
- 4.4.0-45.66 for Ubuntu 16.04 LTS
- 3.13.0-100.147 for Ubuntu 14.04 LTS
- 3.2.0-113.155 for Ubuntu 12.04 LTS
- 3.16.36-1+deb8u2 for Debian 8
- 3.2.82-1 for Debian 7
- 4.7.8-1 for Debian unstable
CentOS
Some versions of CentOS can use this script provided by RedHat for RHEL to test your server’s vulnerability. To try it, first download the script.
Then run it with bash.
If you’re vulnerable, you’ll see output like this:
OutputYour kernel is 3.10.0-327.36.1.el7.x86_64 which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
Fix Vulnerability
Fortunately, applying the fix is straightforward: update your system and reboot your server.
On Ubuntu and Debian, upgrade your packages using apt-get.
You can update all of your packages on CentOS 5, 6, and 7 with sudo yum update, but if you only want to update the kernel to address this bug, run:
On older Droplets with external kernel management, you’ll also need to select the DigitalOcean GrubLoader kernel. To do this, go to the control panel, click on the server you want to update. Then, click Kernel in the menu on the left and choose the GrubLoader kernel. You can learn more about updating your Droplet’s kernel in this kernel management tutorial. Newer Droplets with internal kernel management can skip this step.
Finally, on all distributions, you’ll need to reboot your server to apply the changes.
Conclusion
Make sure to update your Linux servers to stay protected from this privilege escalation bug.
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author
hi! i write do.co/docs now, but i used to be the senior tech editor publishing tutorials here in the community.
Still looking for an answer?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
My server is Ubuntu 14.04, I ran sudo apt-get update && sudo apt-get dist-upgrade and reboot but the version no update?
3.13.0-71-generic #114-Ubuntu SMP Tue Dec 1 02:34:22 UTC 2015
You say it as if you’ve shipped any updates for Ubuntu 16.04 LTS. Still on -24
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-24-generic x86_64)
To folks on older Ubuntu versions having issues: please note that on older Droplets, you’ll need to select DigitalOcean GrubLoader kernel so it will actually load the new kernel version configured in Grub. I’ve updated the tutorial to include instructions for this.
dist-upgrade ? I think you mean just “upgrade”. Also for Ubuntu, Digital Ocean just have 3.13.0-91 and 4.4.0-28
This comment has been deleted
After the reboot you need to check that you are actually running the new kernel!
For some Redhat/CentOS droplets, you need to power off the droplet and set the kernel to boot in the Droplet control panel.
I’m confused. You say “CentOS 5 and 6 were unaffected by this bug” but then say to run rh-cve-2016-5195_1.sh which lists even the latest CentOS 5 kernels as vulnerable:
# bash rh-cve-2016-5195_1.sh
Your kernel is 2.6.18-412.el5xen which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
Please advise.
This work is licensed under a Creative Commons Attribution-NonCommercial- ShareAlike 4.0 International License.
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.