Patching the Dirty Cow Exploit on CentOS
What is “Dirty Cow (CVE-2016-5195)”?
The “Dirty Cow” vulnerability is exploited through how Linux processes code. It allows for an unprivileged user to gain root privileges. This can be used on any server with a vulnerable kernel. At the time of writing, there have been updates to certain operating systems, but others remain affected. The vulnerability is typically used on shared hosting accounts with shell access. As such, to prevent damage to other users, updating is crucial.
Affected systems
Any CentOS 5/6/7 system.
Test and patching
RHEL has a utility available to test your server. Simply download the following with:
wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
bash rh-cve-2016-5195_1.sh
If your server is vulnerable, you will be notified by the script:
Your kernel is <version here> which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .
If you are indeed vulnerable, proceed to the next step. Otherwise, no action is required.
Patching is quite simple:
yum update -y
reboot
Check that your server was patched by running the rh-cve
script again. If your server is still affected, we must patch it manually.
Manual patch
We must install Systemtap to apply the kernel update:
yum install systemtap -y
Now, create a file called new.stp.
Paste the following:
probe kernel.function("mem_write").ca ll ? {
$count = 0
}
probe syscall.ptrace { // includes compat ptrace as well
$request = 0xfff
}
probe begin {
printk(0, "CVE-2016-5195 mitigation loaded")
}
probe end {
printk(0, "CVE-2016-5195 mitigation unloaded")
}
Save, then exit.
Run the following command:
stap -g new.stp
Now, reboot your server:
shutdown -r now
Conclusion
Congratulations. You have updated your server successfully.