Tutorial

How To Protect Your Server Against the Dirty COW Linux Vulnerability

Updated on October 31, 2016

staff technical writer

How To Protect Your Server Against the Dirty COW Linux Vulnerability

Introduction

On October 19, 2016, a privilege escalation vulnerability in the Linux kernel was disclosed. The bug is nicknamed Dirty COW because the underlying issue was a race condition in the way kernel handles copy-on-write (COW). Dirty COW has existed for a long time — at least since 2007, with kernel version 2.6.22 — so the vast majority of servers are at risk.

Exploiting this bug means that a regular, unprivileged user on your server can gain write access to any file they can read, and can therefore increase their privileges on the system. More information can be found on CVE-2016-5195 from Canonical, Red Hat, and Debian.

Fortunately, most major distributions have already released a fix. All of the base images on DigitalOcean have been updated to include the patched kernel versions, so future Droplets you create will not need to be updated. However, if you’re running an older server, you can follow this tutorial make sure you’re protected.

Check Vulnerability

Ubuntu/Debian

To find out if your server is affected, check your kernel version.

  1. uname -rv

You’ll see output like this:

Output
4.4.0-42-generic #62-Ubuntu SMP Fri Oct 7 23:11:45 UTC 2016

If your version is earlier than the following, you are affected:

  • 4.8.0-26.28 for Ubuntu 16.10
  • 4.4.0-45.66 for Ubuntu 16.04 LTS
  • 3.13.0-100.147 for Ubuntu 14.04 LTS
  • 3.2.0-113.155 for Ubuntu 12.04 LTS
  • 3.16.36-1+deb8u2 for Debian 8
  • 3.2.82-1 for Debian 7
  • 4.7.8-1 for Debian unstable

CentOS

Some versions of CentOS can use this script provided by RedHat for RHEL to test your server’s vulnerability. To try it, first download the script.

  1. wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Then run it with bash.

  1. bash rh-cve-2016-5195_1.sh

If you’re vulnerable, you’ll see output like this:

Output
Your kernel is 3.10.0-327.36.1.el7.x86_64 which IS vulnerable. Red Hat recommends that you update your kernel. Alternatively, you can apply partial mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .

Fix Vulnerability

Fortunately, applying the fix is straightforward: update your system and reboot your server.

On Ubuntu and Debian, upgrade your packages using apt-get.

  1. sudo apt-get update && sudo apt-get dist-upgrade

You can update all of your packages on CentOS 5, 6, and 7 with sudo yum update, but if you only want to update the kernel to address this bug, run:

  1. sudo yum update kernel

On older Droplets with external kernel management, you’ll also need to select the DigitalOcean GrubLoader kernel. To do this, go to the control panel, click on the server you want to update. Then, click Kernel in the menu on the left and choose the GrubLoader kernel. You can learn more about updating your Droplet’s kernel in this kernel management tutorial. Newer Droplets with internal kernel management can skip this step.

Finally, on all distributions, you’ll need to reboot your server to apply the changes.

  1. sudo reboot

Conclusion

Make sure to update your Linux servers to stay protected from this privilege escalation bug.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar

staff technical writer

hi! i write do.co/docs now, but i used to be the senior tech editor publishing tutorials here in the community.

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Hazel Virdó
DigitalOcean Employee
DigitalOcean Employee badge
October 21, 2016

To folks on older Ubuntu versions having issues: please note that on older Droplets, you’ll need to select DigitalOcean GrubLoader kernel so it will actually load the new kernel version configured in Grub. I’ve updated the tutorial to include instructions for this.

I had trouble updating a number of my droplets and ultimately discovered this article on how DO handles kernel updates. Hope it helps.

Holy shit.

Was this emailed out to droplet owners???

If not, yall really dropped the ball.

Just learning about this. Patched, now. SMH…

Does someone know a tool with who I can upgrade and manage 40 servers at a time? I am sick of this loggin in and out of ssh,

Looks like they finally released a patch for CentOS 5: 2.6.18-416. I’m going to bounce my servers this evening to get the change in effect. Here is the change log back to the previous version in the repos (412):

  • roll in CentOS Branding
  • [mm] Fix Privilege escalation via MAP_PRIVATE (Larry Woodman) [1385112] {CVE-2016-5195}
  • [fs] gfs2: Initialize atime of I_NEW inodes (Andreas Grunbacher) [1374861]
  • [fs] gfs2: Update file times after grabbing glock (Andreas Grunbacher) [1374861]
  • Revert: [fs] gfs2: Only refresh newer in-memory timestamps (Andreas Grunbacher) [1374861]
  • [redhat] Fix missed -413 kernel version (Alexander Gordeev)
  • [redhat] Disable ‘Invalid version (double separator ‘-’)’ error (Alexander Gordeev) [1375746]
  • [fs] jbd: Fix oops in journal_remove_journal_head() (Lukas Czerner) [1067708]
  • [fs] jbd: Fix race between CP and journal_get_write_access() (Lukas Czerner) [1067708]
  • [fs] ecryptfs: prevent mounts backed by procfs (Mateusz Guzik) [1347100] {CVE-2016-1583}

I am on Debian 8 with kernel:

3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2

When I dist-upgrade it says everything is up to date Listing the kernels gives:

sudo dpkg --list | grep linux-image

ii  linux-image-3.16.0-4-amd64            3.16.36-1+deb8u2                  amd64        Linux 3.16 for 64-bit PCs
ii  linux-image-3.2.0-4-amd64             3.2.73-2+deb7u3                   amd64        Linux 3.2 for 64-bit PCs
ii  linux-image-amd64                     3.16+63                           amd64        Linux for 64-bit PCs (meta-package)

So I did:

sudo update-grub

But it is still 3.2.0-4-amd64 #1 SMP Debian 3.2.41-2+deb7u2

How do I fix this?

Okay, just making change kernel used on the panel, fix this bug? last 3.13.0-29-generic, the new kernel change 3.19.0-58-generic

Fix for CentOS 6 was released: kernel-2.6.32-642.6.2.el6.i686.rpm

Hi, it seems there is no official patches for Centos 6? I was followed this guide https://bugzilla.redhat.com/show_bug.cgi?id=1384344

How can I check again? please check for me in http://torrent4all.com movies torrent server?

Recently released Centos 7.2 kernel-3.10.0-327.36.3.el7.x86_64 seems fixed it, shows now:

Your kernel is 3.10.0-327.36.3.el7.x86_64 which is NOT vulnerable.

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Featured on Community

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more