Dirty COW — What is it and how it affects your Linux server

Here at Magebit when we propose to fix Dirty COW vulnerability we get questions such as what is it, why it is necessary to patch it and how did my server get infected. That is why I was encouraged to make this post — to explain the above and have a deeper look into the vulnerability.

What is Dirty COW vulnerability

Dirty COW is the nickname of a vulnerability that exploits a race condition. The COW stands for Copy-On-Write as it uses the copy-on-write mechanism to be exploited. The bug was in the Linux kernels since September 2007 release but it has gained a huge popularity and it is now actively used at least since October 2016.

What does it do?

The vulnerability allows a user to gain write access to files that the user can only see and read. That means if a hacker gains read only access to the whole server the hacker can do anything — change log files, screw up the whole system and play with your nerves. You can read more detailed info about CVE-2016–5195 at Debian, Red Hat and Canonical sites.

How to detect Dirty COW vulnerability

There are several ways to detect if your system is vulnerable to Dirty COW. If you are using Linux (even Android) — read further. Otherwise, for example, if you have Windows — you are not vulnerable and you can skip this part.

Option 1 — check kernel version

The easiest and fastest way to check if you are vulnerable to Dirty COW is to check the kernel version of your system.

Ubuntu / Debian

Just write the following command in console:

uname -rv

Check the version and if your version is prior the following — your system is vulnerable.

4.8.0–26.28 for Ubuntu 16.104.4.0–45.66 for Ubuntu 16.04 LTS3.13.0–100.147 for Ubuntu 14.04 LTS3.2.0–113.155 for Ubuntu 12.04 LTS3.16.36–1+deb8u2 for Debian 83.2.82–1 for Debian 74.7.8–1 for Debian unstable

CentOS

For CentOS you can use a script provided by RedHat. First, you need to run this command to get the script:

wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

Then just run it in bash:

bash rh-cve-2016-5195_1.sh

If you are vulnerable, you will get something like this:

Your kernel is 3.10.0-327.36.1.el7.x86_64 which IS vulnerable.

Option 2 — try the exploit

The best way to test if you are vulnerable is to actually try exploiting the vulnerability. In order to do that we must first get the script:

curl https://raw.githubusercontent.com/dirtycow/dirtycow.github.io/master/dirtyc0w.c > dirtyc0w.c

Then run these commands:

sudo -secho This is a TEST > foochmod 0404 foogcc -pthread dirtyc0w.c -o dirtyc0w./dirtyc0w foo vulnerable

The above will create a file called “foo” with contents “This is a TEST”. The last command will try to modify the file contents to “vulnerable”. If your system is vulnerable the file “foo” will have the content “vulnerable”. If your system is not vulnerable the file “foo” will have the original content “This is a TEST”. To check that you can run this command:

cat foo

How to fix Dirty COW vulnerability

The vulnerability is quite easy to fix but it can break a lot of stuff if this is done on a poorly maintained server with different integrations/additions such as multiple storage blocks attached to different mysql servers or AWS S3 integration to many applications on the system. That is why it is recommended to get professionals to fix this.

If the server is well maintained with no complex data it is pretty easy to patch. Just run this command on Ubuntu or Debian:

sudo apt-get update && sudo apt-get dist-upgrade

Or this command if you are on CentOS:

sudo yum update kernel

Then you need to reboot your server. To do that run this command:

sudo reboot

References:https://en.wikipedia.org/wiki/Dirty_COWhttps://www.redpacketsecurity.com/testing-dirty-cow-cve-2016-5195/https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-dirty-cow-linux-vulnerabilityhttps://dirtycow.ninja/