Cow – Copy On Write. How to Fix Your Linux Kernel?

Cow stands for Copy On Write and is an exploit that can allow an attacker to get root access

Have you patched your linux kernel for this dangerous exploit?

Copy On Write – Introduction to Hacking ( No – not really )

On October 19, 2016, a privilege escalation vulnerability in the Linux kernel was disclosed. The bug is nicknamed Dirty COW because the underlying issue was a race condition in the way kernel handles copy-on-write (COW). Dirty COW has existed for a long time — at least since 2007, with kernel version 2.6.22 — so the vast majority of servers are at risk.

Exploiting this bug means that a regular, unprivileged user on your server can gain write access to any file they can read, and can therefore increase their privileges on the system.

More information can be found on CVE-2016-5195 from Canonical, Red Hat, and Debian.

There are quite a few great groups who write about CMS viruses like those that bother wordpress, joomla or drupal installations.

Somehow, this one is deeper in the OS than our wordpress friends usually write about.
COW which is the Copy On Write command, could allow a user with almost no rights to gain access to server memory holding code/data above his pay grade and thus promote one’s self to root.
No one is saying exactly how one would do this, but I imagine you first need to write a c program that attempts to most incorrectly allocate memory via the Copy On Write command, then after its allocated, stuff crashes and during that confusion if your program wrapped the crash within error handling, you now has access to write to something ( in the error handling? that belongs to the supervisor or a paygrade above yours ). Sheer conjecture but its gotta be something like that …
If you had access to write to something, for a hacker that something would almost certainly be /etc/password so that you can add yourself somewhere in that list, lol.
This bug has been around for a long time and I believe someone quoted Linus Torvald at saying maybe even 9 years.
But, I remember several hardened Linux kernels hardening security levels all around because of something similar to this years ago, so I am quite confused as to how its suddenly taking precedence.
When i read about it this week, i instantly thought that the article must be 10+ years old, but it wasn’t.
So, how do we fix this?

Fix Vulnerability

Fortunately, applying the fix is straightforward: update your system and reboot your server.

On Ubuntu and Debian, upgrade your packages using apt-get.

  • sudo apt-get update && sudo apt-get dist-upgrade

You can update all of your packages on CentOS 6 and 7 with sudo yum update, but if you only want to update the kernel to address this bug, run:

  • sudo yum update kernel

Right now, we’re still waiting on a fix for CentOS 5. In the interim, you can use this workaround from the Red Hat bug tracker.

On older Droplets with external kernel management, you’ll also need to select the DigitalOcean GrubLoader kernel. To do this, go to the control panel, click on the server you want to update. Then, click Kernel in the menu on the left and choose the GrubLoader kernel. Newer Droplets with internal kernel management can skip this step.

Finally, on all distributions, you’ll need to reboot your server to apply the changes.

  • sudo reboot

Conclusion

Make sure to update your Linux servers to stay protected from this privilege escalation bug.

If you don’t have ssh access to your server, ask your host company or administrator if they have patched for COW yet.