In this article, we will learn about how to fix the Dirty Cow Linux Vulnerability CentOS/Red Hat, Dirty Cow Linux Vulnerability was escalated on Oct 19, 2016, as it is a privilege escalation vulnerability in the Linux OS on kernel level was disclosed with the name Dirty COW as the Dirty Cow will create a condition that kernel handles COW (Copy-on-Write) which exists for a long time since as the most of the servers are at risk. Actually, this is called as CVE-2016-5195 on Redhat. This may affect the kernels which are shipped Red Hat Enterprises Linux 5,6,7.
The Dirty Cow means that a regular or an unprivileged user on the server will gain write access to all the files which they can read and therefore increase their access on the system.
As most of the Linux distributions have already released a fix for the vulnerability so needed not to worry and we can use this article to fix this.
To Check the vulnerability on CentOS / RHEL machine we needed to run the below script where we have lots of kernels on RHEL and CentOS .
We can download the script from the Redhat repository using the below link
# wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh Output: --2016-11-21 11:41:19-- https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.shResolving access.redhat.com... 188.8.131.52 Connecting to access.redhat.com|184.108.40.206|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 16478 (16K) [application/x-sh] Saving to: “rh-cve-2016-5195_1.sh” 100%[======================================>] 16,478 72.4K/s in 0.2s 2016-11-21 11:41:19 (72.4 KB/s) - “rh-cve-2016-5195_1.sh” saved [16478/16478]
Once we download the file we needed to add the executable permission for the script.
# chmod +x rh-cve-2016-5195_1.sh
Now we will run the script to detect the machine is vulnerable or not using the script which we just downloaded.
# ./rh-cve-2016-5195_1.sh Output: Your kernel is 2.6.32-642.6.1.el6.x86_64 which IS vulnerable. Red Hat recommends that you update your kernel. Alternatively, you can apply partial mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
We can directly apply the fix straight from the RHEL/CentOS repository by just updating the kernel and reboot the server
Below is the command to update all the packages on the CentOS/RHEL Machine.
# sudo yum update Output: yum update Loaded plugins: fastestmirror, security Setting up Update Process Determining fastest mirrors epel/metalink | 4.9 kB 00:00 * base: mirror.fibergrid.in * epel: epel.scopesky.iq * extras: mirror.fibergrid.in * updates: mirror.fibergrid.in … … Resolving Dependencies --> Running transaction check ---> Package bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.1 will be updated ---> Package bind-libs.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be an update ---> Package bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.1 will be updated ---> Package bind-utils.x86_64 32:9.8.2-0.47.rc1.el6_8.3 will be an update ---> Package httpd.x86_64 0:2.2.15-54.el6.centos will be updated ---> Package httpd.x86_64 0:2.2.15-55.el6.centos.2 will be an update ---> Package httpd-tools.x86_64 0:2.2.15-54.el6.centos will be updated ---> Package httpd-tools.x86_64 0:2.2.15-55.el6.centos.2 will be an update ---> Package java-1.7.0-openjdk.x86_64 1:220.127.116.11-18.104.22.168.el6_8 will be updated ---> Package java-1.7.0-openjdk.x86_64 1:22.214.171.124-126.96.36.199.el6_8 will be an upda te … kamailio-debuginfo.x86_64 0:4.4.4-1.1 kamailio-mysql.x86_64 0:4.4.4-1.1 kamailio-unixodbc.x86_64 0:4.4.4-1.1 kernel-firmware.noarch 0:2.6.32-642.11.1.el6 kernel-headers.x86_64 0:2.6.32-642.11.1.el6 kexec-tools.x86_64 0:2.0.0-300.el6_8.1 libblkid.x86_64 0:2.17.2-12.24.el6_8.1 libgcrypt.x86_64 0:1.4.5-12.el6_8 libuuid.x86_64 0:2.17.2-12.24.el6_8.1 nss.x86_64 0:3.21.3-2.el6_8 nss-sysinit.x86_64 0:3.21.3-2.el6_8 nss-tools.x86_64 0:3.21.3-2.el6_8 nss-util.x86_64 0:3.21.3-1.el6_8 perf.x86_64 0:2.6.32-642.11.1.el6 policycoreutils.x86_64 0:2.0.83-30.1.el6_8 selinux-policy.noarch 0:3.7.19-292.el6_8.2 selinux-policy-targeted.noarch 0:3.7.19-292.el6_8.2 tzdata.noarch 0:2016i-1.el6 tzdata-java.noarch 0:2016i-1.el6 util-linux-ng.x86_64 0:2.17.2-12.24.el6_8.1 Complete!
Once the update is completed we needed to reboot the machine so that the updates are effected, below is the command to reboot the machine.
# sudo reboot
As we have upgraded the packages and updated the machine for the DirtyCow Vulnerability we needed to check whether the kernel is upgraded or not, below is the command to verify.
We can run the script which we have downloaded in the previous steps to check the vulnerability or you can run the below command –
./rh-cve-2016-5195_1.sh Output: Your kernel is 2.6.32-642.11.1.el6.x86_64 which is NOT vulnerable.
We can see that the script if it shows that the machine is not vulnerable.
# uname -r Output: 2.6.32-642.11.1.el6.x86_64
As we can see that the kernel is updated from 2.6.32-642.6.1.el6.x86_64 to 2.6.32-642.11.1.el6.x86_64, so the Linux machine is safe from Dirty Cow Vulnerability.
In the above article we have learned how to check for the Dirty Cow Vulnerability on the CentOS / RHEL Linux machine using the script from RHEL and we have also learned how to fix the Dirty Cow Vulnerability and verify after the update.