Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
Physics
Chemistry
Biology
Mathematics
English
Economics
Psychology
Social Studies
Fashion Studies
Legal Studies
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
How To Fix and Protect The Linux Server Against the Dirty COW Vulnerability on Ubuntu
In this article, we will learn about how to fix the Dirty Cow Linux Vulnerability. The Dirty Cow Linux Vulnerability was escalated on Oct 19 2016 as it is a privilege escalation vulnerability in the Linux OS on kernel level which was disclosed with the name as Dirty COW as it will create a condition that kernel handles COW (Copy-on-Write), which exists for a long time since 2007 from kernel version 2.6.22 as most of the servers are at risk.
Dirty Cow means that a regular or an unprivileged user on the server will gain write access to all the files which they can read and therefor increase their access to the system.
As most of the Linux distributions have already released a fix for the vulnerability, you need not worry since this article will help you fix the issue.
Checking for the Vulnerability in the Ubuntu Machine
To check if the Vulnerability is affected to a Linux machine, we have to run the below command –
If the Linux version is older than the following below versions, then that Linux machine is affected:
- 4.8.0-26.28 for Ubuntu 16.10
- 4.4.0-45.66 for Ubuntu 16.04 LTS
- 3.13.0-100.147 for Ubuntu 14.04 LTS
- 3.2.0-113.155 for Ubuntu 12.04 LTS
- 3.16.36-1+deb8u2 for Debian 8
- 3.2.82-1 for Debian 7
- 4.7.8-1 for Debian unstable
$ uname –rv Output: 2.6.32-314-ec2 #27-Ubuntu SMP Wed Mar 2 22:54:48 UTC 2011
Fixing the Dirty Cow Vulenrabilty
We can directly apply the fix straight from the Ubuntu repository, and reboot the server
Below is the command to update the all packages on the Ubuntu Machine –
$ sudo apt-get update && sudo apt-get dist-upgrade Output: Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB] Hit:2 http://in.archive.ubuntu.com/ubuntu xenial InRelease Hit:3 http://deb.kamailio.org/kamailio jessie InRelease Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB] Hit:5 http://in.archive.ubuntu.com/ubuntu xenial-backports InRelease Fetched 190 kB in 6s (30.5 kB/s) Reading package lists... Done W: http://deb.kamailio.org/kamailio/dists/jessie/InRelease: Signature by key E79ACECB87D8DCD23A20AD2FFB40D3E6508EA4C8 uses weak digest algorithm (SHA1) Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages were automatically installed and are no longer required: linux-headers-4.4.0-21 linux-headers-4.4.0-21-generic linux-headers-4.4.0-38 linux-headers-4.4.0-38-generic linux-image-4.4.0-21-generic linux-image-4.4.0-38-generic linux-image-extra-4.4.0-21-generic linux-image-extra-4.4.0-38-generic Use 'sudo apt autoremove' to remove them. The following NEW packages will be installed: libpython3.5 snap-confine The following packages will be upgraded: apparmor apport apt apt-utils base-files bash bsdutils cloud-initramfs-copymods cloud-initramfs-dyn-netconf console-setup console-setup-linux dh-python distro-info-data dmidecode dpkg fuse grep grub-legacy-ec2 ifupdown init init-system-helpers initramfs-tools initramfs-tools-bin initramfs-tools-core isc-dhcp-client isc-dhcp-common kbd keyboard-configuration klibc-utils language-pack-en less libapparmor-perl libapparmor1 libapt-inst2.0 libapt-pkg5.0 libblkid1 libc-bin libc-dev-bin libc6 libc6-dev libdrm2 libfdisk1 libfuse2 libglib2.0-0 libglib2.0-data libgnutls-openssl27 libgnutls30 libklibc libldap-2.4-2 liblxc1 libmount1 libp11-kit0 libpam-systemd libplymouth4 libpython3.5-minimal libpython3.5-stdlib libsmartcols1 libsystemd0 libudev1 libuuid1 locales lsb-base lsb-release lxc-common lxcfs lxd lxd-client mdadm mount multiarch-support open-iscsi overlayroot plymouth plymouth-theme-ubuntu-text python3-apport python3-problem-report python3-software-properties python3-urllib3 python3.5 python3.5-minimal shared-mime-info snapd software-properties-common sudo systemd systemd-sysv ubuntu-core-launcher udev unattended-upgrades update-notifier-common util-linux vim vim-common vim-runtime vim-tiny vlan 96 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 52.3 MB of archives. After this operation, 18.5 MB of additional disk space will be used. Do you want to continue? [Y/n]Y Get:1 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 base-files amd64 9.4ubuntu4.3 [67.7 kB] Get:2 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bash amd64 4.3-14ubuntu1.1 [583 kB] Get:3 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bsdutils amd64 1:2.27.1-6ubuntu3.1 [51.8 kB] Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 dpkg amd64 1.18.4ubuntu1.1 [2,083 kB] Get:5 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 grep amd64 2.25-1~16.04.1 [153 kB] Get:6 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 init-system-helpers all 1.29ubuntu3 [32.4 kB] Get:7 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 init amd64 1.29ubuntu3 [4,716 B] Get:8 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libpam-systemd amd64 229-4ubuntu12 [115 kB] Get:9 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libudev1 amd64 229-4ubuntu12 [55.2 kB] Get:10 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 mdadm amd64 3.3-2ubuntu7.1 [394 kB] Get:11 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 udev amd64 229-4ubuntu12 [993 kB] Get:12 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 ifupdown amd64 0.8.10ubuntu1.1 [54.9 kB] Get:13 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libsystemd0 amd64 229-4ubuntu12 [205 kB] … … … Setting up overlayroot (0.27ubuntu1.2) ... Setting up vlan (1.9-3.2ubuntu1.16.04.1) ... Installing new version of config file /etc/network/if-pre-up.d/vlan ... Setting up kbd (1.15.5-1ubuntu5) ... Setting up console-setup-linux (1.108ubuntu15.2) ... Installing new version of config file /etc/console-setup/compose.ISO-8859-1.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-13.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-14.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-15.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-2.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-3.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-4.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-7.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-9.inc ... Setting up liblxc1 (2.0.5-0ubuntu1~ubuntu16.04.2) ... Setting up lxc-common (2.0.5-0ubuntu1~ubuntu16.04.2) ... Installing new version of config file /etc/apparmor.d/abstractions/lxc/container-base ... Installing new version of config file /etc/apparmor.d/abstractions/lxc/start-container ... Setting up lxd (2.0.5-0ubuntu1~ubuntu16.04.1) ... Setting up console-setup (1.108ubuntu15.2) ... update-initramfs: deferring update (trigger activated) Processing triggers for initramfs-tools (0.122ubuntu8.5) ... update-initramfs: Generating /boot/initrd.img-4.4.0-47-generic W: mdadm: /etc/mdadm/mdadm.conf defines no arrays. Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for libc-bin (2.23-0ubuntu4) ...
Once the system is updated we needed to restart the machine, below is the command to reboot the machine
$sudo init 6
Verify the system after Update for Kernel Update
As we have upgraded the packages and updated the machine for the Drity Cow Vulnerabilty, we need to check whether the patch is applied or not. Below is the command to verify.
$ sudo uname -rv Output: 4.4.0-47-ec2 #68-Ubuntu SMP Wed Oct 26 19:39:52 UTC 2016
As we can see that the kernel is updated from 2.6.32-314 to 4.4.0-47, so the Linux machine is safe from Dirty Cow Vulnerability.
In the above article we have learned how to check for the Dirty Cow Vulnerability on the Linux machine and we have also learned how to fix the Dirty Cow Vulnerability and verify.
170 Views
